[security bulletin] HPSBST02937 rev.1 - HP StoreVirtual 4000 and StoreVirtual VSA Software dbd_manager, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03995204 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03995204 Version: 1 HPSBST02937 rev.1 - HP StoreVirtual 4000 and StoreVirtual VSA Software dbd_manager, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-02-24 Last Updated: 2014-02-24 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreVirtual 4000 and StoreVirtual VSA Software (formerly known as HP LeftHand Virtual SAN Appliance) dbd_manager. The vulnerability could be remotely exploited resulting in execution of arbitrary code. References: CVE-2013-4841 (ZDI-CAN-1509, SSRT100796) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP StoreVirtual 4000 and StoreVirtual VSA Software prior to LeftHand OS version 11.0. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-4841(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks HP's Zero Day Initiative for reporting ZDI-CAN-1509 to security-al...@hp.com RESOLUTION HP has made the following update available to resolve the vulnerability: HP LeftHand OS version 11.0 for StoreVirtual 4000 and StoreVirtual VSA Storage products. Note: HP LeftHand OS version 11.0 is currently in Controlled Release. During this period, HP customers can contact HP support to receive the 11.0 update for production systems. This bulletin will be revised when the software update is released. HISTORY Version:1 (rev.1) - 24 February 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlMLfDEACgkQ4B86/C0qfVknzACgqOF5OlhFDy6wk3i8uCtG2SVM pMMAoJdXx9Wo82mdktVjDXeRG/G1fMGx =jdsE -END PGP SIGNATURE-
[security bulletin] HPSBMU02971 rev.1 - HP Application Information Optimizer, Remote Execution of Code, Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04140965 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04140965 Version: 1 HPSBMU02971 rev.1 - HP Application Information Optimizer, Remote Execution of Code, Information Disclosure NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-02-24 Last Updated: 2014-02-21 Potential Security Impact: Remote execution of code, information disclosure Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in the Web Console component of HP Application Information Optimizer (formerly HP Database Archiving). The vulnerability could be exploited to allow remote execution of code and information disclosure. References: CVE-2013-6203 (ZDI-CAN-1656, SSRT101299) CVE-2013-6204 (ZDI-CAN-2004, SSRT101349) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Application Information Optimizer v6.2, v6.3, v6.4, v7.0, v7.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-6203(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2013-6204(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with HP's Zero Day Initiative to report CVE-2013-6203 and CVE-2013-6204 to security-al...@hp.com. RESOLUTION HP has made the following software updates for HP Application Information Optimizer to resolve the vulnerability. HP Application Information Optimizer release v7.1 (software patch v7.11) HP Application Information Optimizer v7.0 (software patch v7.03) HP Application Information Optimizer (HP Database Archiving) v6.4 (software HotFix #1) HP Application Information Optimizer (HP Database Archiving) v6.3 (software HotFix #90) HP Application Information Optimizer (HP Database Archiving) v6.2 (software HotFix #63) Note: The update or patch software is available at HP Software Support Online http://support.openview.hp.com/ Please contact HP Support for the software hotfixes. HISTORY Version:1 (rev.1) - 20 February 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlMLgdQACgkQ4B86/C0qfVkTWQCgjTFJkccozzP1lXYb5vJ9CMkk XPwAoIBMYCG2LQnXybOW0mzJ42ziZKeZ =uPvE -END PGP SIGNATURE-
[SECURITY] CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0033 Session fixation still possible with disableURLRewriting enabled Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.33 to 6.0.37 Description: Previous fixes to path parameter handling [1] introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://svn.apache.org/viewvc?view=revisionrevision=r1149220 [2] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw3AAoJEBDAHFovYFnnNM8QAJZRox6JZVDSygO8ddp3S9Gp FADhlqFpusDGkhO/4x+5UNaZ6nci2CVHYbVftsvxyZrsEZbmJk2rcQIcwwRtwtgj ZTG7Vt2v5Z+PqAeFSI+7rXsaumqD+itV2M/S9o4sPjsNSHoJ4+a00S8cYs8XBG5Q bnibxMGHbJi/ew037CTxvlZhPTM2Fir1YDwfagbNJvTbU379fg+NjZXJRa7AzWLW 46mFtRh7/PlYV9GP2rfy+l603Zgz/u9oiBAuXWkBqccUbSsgmauFJTk5jMnwF+By PHCsbe/ptkxEqlIkUYKBv4LPlJB5rjrvTcknrwXrx6WE79pdi37rd20nwuoIuCj5 kkZkrGIKUp029BGgGe+vVnJjjWcGuCsieyDMzvU/quNE9MX5oK5SEB+20QpZvQ6v PuAtv+h8DSvwYKlmGBoepztjXLUCfptlHu/txw4mYJhWTttaoA3mDkYoQNLpd90O N0lZJ04OTGDpRUiUNM1//Rq+MPaN5nwM4TNQiSY7c6su8C/ol3XYBCoBIYZPgxXk DbgD7B5ubOl/HDVzkpJifgbvX9EcrseZq62UV2Gh1ngw6QEY+XANCFE+7xX4/glt h6F3/9AEPuppeohboG0tuR6B0BDF5lj8gEUAHl4YdAgR6uem34QULxDMMnu7ULif 7gsVJdXCzt8BS5Znvhsp =HGNG -END PGP SIGNATURE-
[SECURITY] CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2012-3544 was not complete. It did not cover the following cases: a) Chunk extensions were not limited b) Whitespace after the : in a trailing header was not limited Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was partly identified by the Apache Tomcat security team and party by Saran Neti of TELUS Security Labs. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxCAAoJEBDAHFovYFnnAtcP/0U8NgjCuhFBps1tAIqAa+ty nLMYz3rgxHcY9ClWrJEBgGiIGb2wDQfylNsWR67PF/ue6yhLf+Bu5xs858Thr8V1 98ODkrQemNc9dcIdLJaRcSo05vzNCEN3v4vR9cpPpQpW8TB9y8L1HXmZEiGkM7ZD nwa6E6GDJizkwR+3Qs11r3tAxNAHPn611EYajYLf7+4vPLqgV4GOx2/D7ol/wTm0 3BM15VZjTtlHqrtghUOdXYEzoXwR9BKMVoMtED3e++5i0vCuvvLToxTJ6jI/QjjE UNm/hrfZK5ro3d+rzjOboLXIooAksK3A5UXxlvRi26ZgP3Nd0y8dN925WWfg2jXX V1saa+42vpI6g4NcINIbFnBqfPdM/xKSIuyyXDmmTF2rUHQftcToLikzmSDZlm4c edTyL+A4FcbEq8uymXwE/iA9KKa3PDcZheUw07YALp9JhFI6rfQT472cUavfNcGy h0nxkHg2hU4yUBPm2PSyoTAokkjhDgRvGgX0hA3ljSi0SpHyTwPfoUIwUb+Emgmb Vk00OJRJGtZs/GAL0TCd+LW96664Tx9oAqvgcLA3dZwLk94ivD5SC3Rl9xlyd4lF cgLCOvzwxHcAh7syNd8orWjmyZsJ1vVqGoL1waK1hl1AQNxoJRfDixSlNjchpBxO tCLvVC7UbgC0PFda+7kL =Hzxr -END PGP SIGNATURE-
[SECURITY] CVE-2013-4590 Information disclosure via XXE when running untrusted web applications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -END PGP SIGNATURE-
[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2005-2090 was not complete. It did not cover the following cases: - - content-length header with chunked encoding over any HTTP connector - - multiple content-length headers over any AJP connector Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC3 or later (8.0.0-RC2 contains the fix but was not released) - - Upgrade to Apache Tomcat 7.0.47 or later (7.0.43 to 7.0.46 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team while investigating an invalid report related to CVE-2005-2090. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHw/AAoJEBDAHFovYFnn8HgP/107ixjTiS7es6ka2fXl01Ag A2GUdevvgKXrbgtY6nVS1Sx65GZcG1k5Knpn6Cwg31dtipnEJmuk4+ScVlA43Jjy 8UpQbI0zm0oCgIRV6lRuYGn1kz5p7cSEF+s36QOAMym3qKNJ3YZn+pALVLgmF+D8 k7Yqe3Fwih68sJm3GRStZ9zlt5s7NNfHzSfnIe4wSyleA8xyK98Xa/8tlr3p0usK J7V5Dz1VSmi8TRpzXUVl8cWjQrD+tCZOWrrBgkWs2oj/TXiVZfiAA5Cv7p1F7HoJ ElF7dny5PJIFdAK3TU5WAkXRQJk2yp0FNv0YRSJGx4OLsiv+IrIXpVR4K12Hmc0n T4RzqyhfB7VGtxrLC/PpC6hoqd+LkuT6uJJA8lcfc+F51UWSHtOV5iW0h2kC6olu s/SKsljDOzx5L2nMdFGqs49cV4uIC8CFC8yP84EJO1gyRqyABxw3LwzUZvdMJ1Sl 29QM3vpMc3EypKXEZWe28Wbr7cZLK2oJt7pSF1DoPF/8DStYYhqztooKCyXAhjum 6Juf3C+w3HvaoR2YyIu5ZhbcGqkt0GHL+ZfvyPVcIFv+TeSYejmus0zdvQGWmnep Fgsdlbz2dUg7ncvmj7LYwCv4U6yj2oYUgMaVrocNVB8bSg0qMnfByg0tc4h8XzDv kNN3kqRWjmDaE37ZHywC =YF3X -END PGP SIGNATURE-
Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass Persistent Web Vulnerabilities
Document Title: === Barracuda Networks Firewall Bug Bounty #32 - Filter Bypass Persistent Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1069 Barracuda Networks Security ID (BNSEC): BNSEC-2069 Release Date: = 2014-02-24 Vulnerability Laboratory ID (VL-ID): 1069 Common Vulnerability Scoring System: 4 Product Service Introduction: === The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful network security, granular layer 7 application controls, user awareness and secure VPN connectivity combined with cloud-based malware protection, content filtering and reporting. It alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through intelligent integration of on-premise and cloud-based technologies. While the powerful on-premises appliance is optimized for tasks like packet forwarding and routing, Intrusion Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus scanning, content filtering and usage reporting benefit from the scalable performance and elasticity of the cloud. (Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple input validation web vulnerabilities in the Barracuda Networks Web Firewall appliance application. Vulnerability Disclosure Timeline: == 2013-09-27: Researcher Notification Coordination (Ateeq ur Rehman Khan) 2013-09-28: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric ** ] 2014-02-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Barracuda Networks Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 X600 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: Multiple persistent input validation vulnerabilities and a filter bypass issue has been discovered in the official Barracuda Networks Web Firewall appliance web application. The vulnerability allows remote attackers or local low privileged application user accounts to inject (persistent) own malicious script codes on application-side of the vulnerable module or connected module components. The vulnerability is located in the `Firewall Firewall Rules Add Access Rule` module. The vulnerable input fields are `Source` and `Destination` IP Address in the general menu. Remote attackers are able to inject custom malicious script codes to the `Source` and `Destination` input fields as IP. Attackers can also add new access rules into the application or edit the existing ones with their custom injected payloads. To bypass the filter and to be able to save the injected code into the application, attacker needs to create 2 entries. First entry should be the Attackers payload and second entry should be any dummy IP address. Application only performs validation on the active field which is freshly added and ignores the earlier entries thus allowing successful injection of the script code into the application. Exploitation of the persistent bug and filter bypass issue requires a low privileged application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishing, persistent external redirects persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Application(s): [+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016) Vulnerable Module(s): [+] FirewallFirewall Rules Add Access Rule General Vulnerable Parameter(s): [+] fw_access_rule_src_net_type [+] fw_access_rule_dst_net_type Proof of Concept (PoC): === The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. Manual steps to reproduce the vulnerability: 1. Login with the user account to the barracuda networks web firewall appliance application 2. Goto FirewallFirewall Rules Add Access Rule General
[RT-SA-2014-001] McAfee ePolicy Orchestrator: XML External Entity Expansion in Dashboard
Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in Dashboard RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration. Details === Product: McAfee ePolicy Orchestrator Affected Versions: 4.6.7 and below Fixed Versions: 4.6.7 + hotfix 940148 Vulnerability Type: XML External Entity Expansion Security Risk: high Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx Vendor Status: hotfix released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001 Advisory Status: public CVE: GENERIC-MAP-NOMATCH CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction McAfee ePO allows to centrally manage other systems, including deploying new software and collecting system information. Dashboards allow privileged users to view statistics and current data about ePO and associated systems. More Details Users with access to McAfee ePO's web interface can have the permission to add new dashboards. Dashboard definitions can be exported as XML data and also be imported again. A basic XML dashboard definition looks like follows: dashboard id=1 nameRedTeam Pentesting/name filteringEnabledfalse/filteringEnabled /dashboard Importing a dashboard consists of uploading the XML data and confirming the import afterwards. On the confirmation page the dashboard's name defined in the XML tag name is shown. The ePO system allows to add a user-defined DTD to the XML data and therefore add additional entities, which will be expanded by the system. The following example results in an dashboard with the name RedTeam Pentesting Entity: ?xml version=1.0? !DOCTYPE dashboard [ !ENTITY redteam RedTeam Pentesting Entity ] dashboard id=1 nameredteam;/name filteringEnabledfalse/filteringEnabled /dashboard It is also possible to specify external entities that for example point to local files on the ePO server. The entity will then be expanded to contain the file's content. This works as long as the file contents do not make the resulting XML data invalid. Data that cannot be read includes for example binary data or files containing XML data themselves. If the entity is used in the dashboard's name, the confirmation page shown when importing a dashboard displays the contents of the file. The following example XML data can be uploaded to read the file C:\boot.ini: ?xml version=1.0? !DOCTYPE dashboard [ !ENTITY redteam SYSTEM file:///c:/boot.ini ] dashboard id=1 nameredteam;/name filteringEnabledfalse/filteringEnabled /dashboard It is also possible to get directory listings by using a file URL that points to a directory, for example the C: drive: !ENTITY redteam SYSTEM file:///c:/ Workaround == RedTeam Pentesting is not aware of any workarounds. Fix === McAfee has issued a hotfix[0] for version 4.6.7 that removes the vulnerability. An upgrade to the newer 5.x branch of the product will also resolve this problem. Security Risk = The vulnerability is mitigated by the fact that users already need valid login credentials for the ePO system and the permission to create dashboards for a successful exploitation. It is still considered to be of a high risk potential however, as it gives attackers the opportunity to read potentially sensitive file contents on the server. This includes for example ePO's database credentials, which are typically stored in a file available at a path like the following: C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties The credentials in this file are encrypted with a static key that is publicly known and included for example in Metasploit[1]. Depending on the actual network structure, it might be possible to use the decrypted credentials to read and alter the information in the ePO database. This might lead to a compromise of the clients that are managed by ePO. Timeline 2013-11-20 Vulnerability identified 2013-11-22 Customer decided to coordinate disclosure with vendor 2014-02-14 Vendor replied to customer 2014-02-24 Vendor released hotfix for version 4.6.7 and a public Security Bulletin[0] 2014-02-25 Advisory released References == [0] https://kc.mcafee.com/corporate/index?page=contentid=SB10065 [1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few
