Ultimi Comunicati Stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM

TIM azienda Dyslexia Friendly

TIM è stata certificata “Azienda Dyslexia Friendly” da parte dell’Associazione Italiana Dislessia grazie al suo approccio alla diversità e all'inclusione. Leggi di più

La vita sulla nuvola di TIM

Il cloud permette a chiunque di accedere alla massima capacità informatica. Una tecnologia che apre la strada a infinite soluzioni e applicazioni. Leggi di più

Vulnerability Research & Advisor

Finalità e modalità operative

Nell’ambito delle attività di Cybersecurity di TIM, è stato costituito un gruppo di lavoro dedicato all’esecuzione di Security Assessment (Red Team), che si occupa di analizzare software sviluppato on-demand, software di mercato e firmware.

Tra gli obiettivi del team c’è quello di rilevare le vulnerabilità che un potenziale attaccante potrebbe sfruttare per eseguire degli attacchi informatici verso le infrastrutture di TIM ed evidenziarne gli impatti reali rilevati.

L’attività non si limita alla sola verifica delle vulnerabilità note, ma include un’attività di ricerca specifica con l’obiettivo di scoprire eventuali nuove vulnerabilità non ancora conosciute pubblicamente (vulnerabilità 0day).

Qualora vengano rilevate vulnerabilità 0day, si procede con una “divulgazione responsabile” verso il produttore del prodotto analizzato, comunicandogli prontamente e in via confidenziale le vulnerabilità scoperte, in modo che possa replicarle e produrre una contromisura (patch) entro 90 giorni dalla notifica ricevuta.

In seguito al rilascio della contromisura (patch), oppure trascorsi i 90 giorni dalla segnalazione, si procede alla pubblicazione, classificando le vulnerabilità sul Mitre (CVE, Common Vulnerabilities and Exposures).

Analoghe azioni vengono intraprese nell’ambito dei processi di Security Testing e Gestione Incidenti (Incident Handling) di TIM, qualora portino a scoprire vulnerabilità non ancora note al produttore e alla comunità.

CVE-2021-41555 – ARCHIBUS Web Central

Vulnerability Description: Multiple Stored Cross-Site Scripting - CWE-79
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41555
CVSv3: 6.1
Severity
: Medium
Credits:
 Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED **
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In this way, if HTML code or client-side executable code (e.g., Javascript) is entered as input, the expected execution flow could be altered. This is fixed in all recent versions, such as version 26.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.

CVE-2021-41554 – ARCHIBUS Web Central

Vulnerability Description: Multiple Broken Access Control- CWE-284
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41554
CVSv3: 8.8
Severity
: High
Credits:
 Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED **
ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints:

/archibus/schema/ab-edit-users.axvw/archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page.  This is fixed in all recent versions, such as version 26.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.

CVE-2021-41553 – ARCHIBUS Web Central

Vulnerability Description: Multiple User Session Vulnerabilities - CWE-1018
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41553
CVSv3: 9.8
Severity
: Critical
Credits:
 Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED **
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.

CVE-2021-38123 – Micro Focus Network Automation

Vulnerability Description: Open Redirect - CWE-601
Software Version: <= 2019.05
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-38123
CVSv3: 6.1
Severity
: Medium
Credits:
 Veno Eivazian, Massimiliano Brolli

The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/device.save.do'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

The application presents an Open Redirect on the Host parameter, when the /device.save.do endpoint is requested via an HTTP POST request.

To exploit the vulnerability, the following HTTP request is used:

POST /device.save.do HTTP/1.1
Host: this.is.my.domain.evil.net
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://hostname
Connection: close
Referer: https://hostname/device.edit.do?deviceID=201
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

An attacker can send a link containing JavaScript code that allows a user who runs the code to be automatically redirected to a domain owned by the attacker himself.
The redirect is performed via the HTTP Location response header.

Figure 1: Open Redirect

Click here to enlarge the image

The victim is thus redirected to a malicious domain:

Figure 2: Open Redirect

Click here to enlarge the image

To perform this attack, the user does not need to be authenticated to the target application.

CVE-2021-35492 – Wowza Streaming Engine

Vulnerability Description: Uncontrolled Resource Consumption – CWE-400
Software Version: <= 4.8.11+5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35492
CVSv3: 6.5
Severity
: Medium
Credits:
 Veno Eivazian, Massimiliano Brolli

A remote user, authenticated to the Wowza Streaming Engine web interface, through Virtual Host Monitoring section, could exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected application. This vulnerability is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability by requesting random virtual host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. Manual intervention is required to free filesystem resources and return the application to an operational state.

To exploit the vulnerability, intercept the browser session with a proxy like Burp Suite.

Then, go to the Virtual Host Monitoring section:

Figure 1: DoS - Virtual Host Monitoring - Web Interface

Click here to enlarge the image

An HTTP request will be automatically performed to view the historical data of the default virtual host.

The request on Burp Suite will be like the next screenshot.

Figure 2: DoS - Regular HTTP request

Click here to enlarge the image

Every time virtual host monitoring data is requested, a new file is created or appended on the filesystem.

By default, this is the starting condition on the folder /usr/local/WowzaStreamingEngine-4.8.11+5/stats/:

Figure 3: DoS - Filesystem on normal condition

Click here to enlarge the image

The attack can be performed using Burp Repeater, using the same request captured with the proxy, changing only the vhost parameter value. The response will be HTTP 200 OK:

Figure 4: DoS - New virtual host HTTP request

Click here to enlarge the image

Alternatively, the same can be achieved with the following payload:

GET /enginemanager/server/vhost/historical.jsdata?vhost=_defaultVHost_pippo_&periodStart=2021-06-03T13%3A47%3A44%2B02%3A00&periodEnd=2021-06-03T14%3A47%3A44%2B02%3A00&_=1622724285834 HTTP/1.1
Host: wse.local:8088
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://wse.local:8088/enginemanager/Home.htm
Cookie: JSESSIONID=E1EC2C1050D74EB0E4DA9474789E8F5E; lastMangerHost=http%3A//127.0.0.1%3A8087; showRightRail=true; DoNotShowFTU=false; lastTab=Basic

On the filesystem side, a new file of 280 KB will be created, as depicted by the following screenshot:

Figure 5: DoS - New virtual host file on the filesystem

Click here to enlarge the image

To massively exploit this condition, multiple requests with different vhost values have to be sent.

To send those requests reliably, the browser session has to be left active.

Session timeout can be prevented by installing a browser plugin like Tab Reloader and configure it to refresh the tab every 1 minute, like the following example:

Figure 6: DoS - Session timeout prevention - Tab Reloader

Click here to enlarge the image

Then it is possible to create a custom script to randomize the vhost parameter to a new value to be sent every time.

./dos-exploit-wse.py

When executing such tool, it is possible to exhaust the filesystem by creating 5.5 GB of files every 30 minutes.

The effect can be summarized on the following screenshot, which depicts multiple files created on the filesystem and the difference of the stats directory size after 30 minutes of the tool execution:

Figure 7: DoS - DoS exploit effect

Click here to enlarge the image

CVE-2021-35491 – Wowza Streaming Engine

Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: <= 4.8.11+5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35491
CVSv3: 8.1
Severity
: High
Credits:
 Veno Eivazian, Massimiliano Brolli

A remote attacker is able to delete a user without the victim's knowledge, by enticing an authenticated admin user to visit an attacker's web page. The application does not implement a CSRF token for the GET request. An attacker can craft an HTML page with a forged request on /enginemanager/server/user/delete.htm URL and send it to the victim.

Prerequisites: None.

Step-by-step instructions and PoC

An authenticated user that visits a crafted HTML page with a forged request can delete a user on Wowza Streaming Engine on behalf of an administrator.

To exploit the vulnerability, a new user needs to be created for testing purpose.

First, create a new user from Server -> Users -> Add User.

Figure 1: CSRF - User creation

Click here to enlarge the image

Then, copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/www/html/csrf-delete-user.html

<html>
     <body>
          <script>history.pushState('', '', '/')</script>
          <form action="http://wse.local:8088/enginemanager/server/user/delete.htm">
               <input type="hidden" name="userName" value="pippo" />
               <input type="submit" value="Submit request" />
          </form>
     </body>
</html>

Enable the local web server on the attacker machine:

sudo /etc/init.d/apache2 start

From an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page http://127.0.0.1/csrf-delete-user.html.

Figure 2: CSRF - PoC HTML page

Click here to enlarge the image

Select Submit request, to force the administrator to delete the selected user.

The request will be sent to the web application, and the user will be deleted:

 

Figure 3: CSRF - User deleted

Click here to enlarge the image

It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. In this case, the application accepts the request and processes it every time.

This is not true in the case of user creation, where that parameter is present and correctly validated.

CVE-2021-32571 – Ericsson OSS-RC

Vulnerability Description: Incomplete Cleanup. – CWE-459
Software Version: <=18B
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-32571
CVSv3: 4.9
Severity: Medium
Credits
: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.

CVE-2021-32569 – Ericsson OSS-RC

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (‘Reflected Cross-site Scripting’). – CWE-79
Software Version: <=18B
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-32569
CVSv3: 6.1
Severity: Medium
Credits
: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.
 

CVE-2021-31540 - WOWZA Streaming Engine

Vulnerability Description: CWE-732: Incorrect Permission Assignment for Critical Resource
Software Version: < 4.8.5
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-31540
CVSv3: 7.1
Severity: High
Credits
: Francesco Giordano, Massimiliano Brolli

Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

Figure 1: File permissions

Click here to enlarge the image

CVE-2021-31539 - WOWZA Streaming Engine

Vulnerability Description: CWE-312: Cleartext Storage of Sensitive Information
Software Version: < 4.8.5
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-31539
CVSv3: 5.5
Severity: Medium
Credits
: Francesco Giordano, Massimiliano Brolli

Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

Figure 1: File permissions

Click here to enlarge the image

CVE-2021-29661 – Softing AG OPC Toolbox

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29661
CVSv3: 5.4
Severity: Medium
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

Softing AG OPC Toolbox version 4.10.1.13035 allows /en/diag_values.html Stored XSS on ITEMLISTVALUES##ITEMID parameter. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into the trace file. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

After logging in to the application with a valid user, the full request is shown on the left

Figure 1: Full HTTP request

Click here to enlarge the image

The malicious payload is: “><script>alert(‘XSS’)</script>

The JavaScript code is executed when the victim user navigates the tab “Diagnostic/Trace”fff

Figure 2: XSS on response page

Click here to enlarge the image

CVE-2021-29660 – Softing AG OPC Toolbox

Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29660
CVSv3: 8.8
Severity: High
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

A Cross-Site Request Forgery (CSRF) vulnerability in Softing AG OPC Toolbox version 4.10.1.13035 and earlier allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.

Create and serve a web page containing the following HTML code shown on the left.

Figure 1: HTML code for CSRF victim

Click here to enlarge the image

The authenticated administrator browses the page configured by the attacker. The password reset request is made to the web application, using the admin's browsing session.

Figure 2: The page is served on the attacker system and requested by the victim

Click here to enlarge the image

The password of the "Administrator" user is reset successfully

Figure 3: CSRF password reset request executed successfully

Click here to enlarge the image

CVE-2021-28979 - Thales SafeNet KeySecure Management Console

Vulnerability Description: CWE-312: Cleartext Storage of Sensitive Information
Software Version: <= 8.12.2
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28979
CVSv3: 6.5
Severity: Medium
Credits
: Luca Di Giuseppe, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli

SafeNet KeySecure Management Console 8.12.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked.

CVE-2021-28250 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via SUID/GUID file - CWE-250
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28250
CVSv3: 7.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user.

CVE-2021-28249 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28249
CVSv3: 8.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user.

CVE-2021-28248 – CA eHealth Performance Manager

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts - CWE-307
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28248
CVSv3: 7.5
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account.

CVE-2021-28247 – CA eHealth Performance Manager

Vulnerability Description: Multiple Reflected Cross-site Scripting - CWE-79
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28247
CVSv3: 5.4
Severity: Medium
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText.

CVE-2021-28246 – CA eHealth Performance Manager

Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-28246
CVSv3: 7.8
Severity: High
Credits
: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli

CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. A regular user must create a malicious library in the writable RPATH, to be dynamically linked when the emtgtctl2 executable is run. The code in the library will be executed as the ehealth user.

CVE-2021-26597 – NOKIA NetAct

Vulnerability Description: Unrestricted Upload of File with Dangerous Type - CWE-434
Software Version: NOKIA NetAct 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-26597
CVSv3: 6.5
Severity: Medium
Credits
: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.

 

CVE-2021-26596 – NOKIA NetAct

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: NOKIA NetAct 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-26596
CVSv3: 5.4
Severity: Medium
Credits
: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.

CVE-2021-3314 - Oracle GlassFish Server

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: <= 3.1.2.18
NIST:  https://nvd.nist.gov/vuln/detail/CVE-2021-3314
CVSv3: 6.1
Severity: Medium
Credits
: Francesco Giordano, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED ** Oracle GlassFish Server 3.1.2.18 and below allows /common/logViewer/logViewer.jsf XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description: URL Redirection to Untrusted Site ('Open Redirect')
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-2005
Oracle Credits CPU 2021: https://www.oracle.com/security-alerts/cpujan2021.html
CVSv3: 4.7
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts (Rate Limit Bypass on login page)
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NIST
https://nvd.nist.gov/vuln/detail/CVE-2020-35590
CVSv3: 9.8
Severity: Critical
Credits
: Veno Eivazian

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.

CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-35589
CVSv3: 5.4
Severity: Medium
Credits
: Veno Eivazian

The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.

CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer

Vulnerability Description: Windows Unquoted Search Path
Software Version: Schneider Electric StruxureWare Building Operation Enterprise Server Installer versions 1.0 – 3.1 and Enterprise Central Installer versions 2.0 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-28209
CVSv3: 7.0
Severity: High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.

CVE-2020-27583 – IBM InfoSphere Information Server

Vulnerability Description: CWE-502: Deserialization of Untrusted Data
Software Version: IBM InfoSphere Information Server 8.5.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-27583
CVSv3: 9.8
Severity: Critical
Credits
: Damiano Proietti, Davide De Rubeis, Matteo Brutti, Alessandro Sabetta, Massimiliano Brolli

IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code.

CVE-2020-17458 – MultiUX

Vulnerability Description: Stored Xss
Software Version: 3.1.12.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17458
CVSv3: 5.4
Severity
: Medium
Credits:
 Francesco Giordano, Sebastiano Lanzarotto, Francesco Pigini, Massimiliano Brolli

Multiple XSS were found in MultiUX, almost every parameter in the mailbox creation page is vulnerable to stored XSS.

CVE-2020-17457 – Fujitsu ServerView Suite iRMC

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: Fujitsu ServerView Suite iRMC v8.08F
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17457
CVSv3: 5.4
Severity
: Medium
Credits:
 Damiano Proietti, Stefano Scipioni, Massimiliano Brolli

Fujitsu ServerView Suite iRMC before 9.62F allows ‘/54?ms=9&lang=0&sid=’ XSS on PSCU_FILE_INIT parameter. A malicious user can insert a malicious payload in the XML configuration file. After selecting ‘Save Configuration’, the payload is triggered in the error response page, which is then reflected to the user and executed by the web browser.

The full request is the following:

Figure 1: The full HTTP request

Click here to enlarge the image

The JavaScript code is executed when the error message is displayed:

Figure 2: XSS on error message

Click here to enlarge the image

CVE-2020-15794 – Siemens Desigo Insight

Vulnerability Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15794
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.

The following URL is enough to trigger the vulnerability:

  • http://[IP]:[PORT]/desigo/plant-viewer.aspx?page=[NON-EXISTENT PAGE]

Figure 1: if the requested file doesn't exist, the application returns the full path it searched in

Click here to enlarge the image

CVE-2020-15793 – Siemens Desigo Insight

Vulnerability Description: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15793
CVSv3: 4.5
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.

CVE-2020-15792 – Siemens Desigo Insight

Vulnerability Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15792
CVSv3: 4.3
Severity
: Medium
Credits:
 Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli

The web service does not properly apply input validation for the ID query parameter in a reserved area on the following URL

  • http://[IP]:[PORT]/desigo/lv-proprierties.aspx?id=[ID][SQL expression]

This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack, using for example the following payloads:

Figure 1: true condition returns the object 465587

For a “true” response:

id=465587%20and%20%20%27asd%27=%27asd%27%20—

Click here to enlarge the image

Figure 2: false condition returns an error on the index

For a “false” response:

id=465587%20and%20%20%27asd%27=%27xxx%27%20—

Click here to enlarge the image

CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14843
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3: 7.1
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description:

  • Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
  • Unrestricted Upload of File with Dangerous Type

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14842
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3:
8.2
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli

Multiple vulnerabilities in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data

CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware

Vulnerability Description:

  • Cross-site scripting stored
  • Cross-site scripting

Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14690
CVSv3: 8.2
Severity
: High
Credits:
Alessandro Bosco, Edoardo Predieri, Fabio Minarelli, Francesco Russo, Luca Di Giuseppe, Massimiliano Brolli

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.

CVE-2020-12081 – FlexNet Publisher

Vulnerability Description:

Improper Limitation of a Pathname to a Restricted Directory ('Full Path Traversal') - CWE-22

Software Version: FlexNet Publisher 11.12.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-12081
CVSv3: 7.5
Severity
: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Step-by-step instructions and PoC

A remote user, authenticated to FlexNet Publisher License Administrator, is able to define an arbitrary full path name where to save the application logs. By using the functionality of "view logs" the attacker can access the content of the previous specified file.

Affected Endpoints:

  • URL: http://hostname/vendor
  • Parameter: logFile
  • Function: Change log path and name

Below are the evidences with the vulnerability details and the payloads used.

The HTTP request used by the attacker to change the full path name of the logs to win.ini (click here to enlarge the image)

Using the function of "view logs" the malicious user can access to the previously specified file (click here to enlarge the image)

Security Impact

By exploiting this issue an attacker is able to read arbitrary file from file system of the target server.

CVE-2020-9050 – Johnson Controls Metasys MREWeb Service

Vulnerability Description: CWE-22: Full Path Traversal
Software Version: Johnson Controls Metasys MREWeb Service 9.0.0.4256
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-9050
CVSv3: 7.5
Severity: High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Stefano Scipioni, Massimiliano Brolli

A remote non-authenticated attacker can define an arbitrary full path name while using the web resource /MREService/Download.aspx. By using this functionality, an attacker can download arbitrary files from the system.

CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Access Control
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7573
CVSv3: 6.5
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

A remote non-authenticated attacker is able to access a restricted web resource due to improper access control.

CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Restriction of XML External Entity Reference
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7572
CVSv3: 8.8
Severity:
High
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

A remote user, authenticated to Building Operation WebReports, is able to inject arbitrary XML code containing a reference to an external entity via a crafted HTTP request into the server-side XML parser without being sanitized. By exploiting this vulnerability, an attacker can access the contents of a file on the system potentially containing sensitive data, other restricted web resources via server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts like a denial of service.

CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Reflected)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7571
CVSv3: 5.4
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.

CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7570
CVSv3: 5.4
Severity: Medium
Credits
: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.

CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports

Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: VAM: Schneider Electric StruxureWare Building Operation WebReports versions 1.0 – 3.1.
NISThttps://nvd.nist.gov/vuln/detail/CVE-2020-7569
CVSv3: 8.8
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli

Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.

CVE-2020-2505 – QNAP QES

Vulnerability Description: Information Disclosure
Software Version: QES 2.0.0
NIST:
https://nvd.nist.gov/vuln/detail/CVE-2020-2505
CVSv3: 2.3
Severity: Low
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

In QNAP QES 2.0.0 there is a vulnerability that allows an attacker to exploit a type confusion to find information on the platform.

CVE-2020-2504 – QNAP QES

Vulnerability Description: Arbitrary File Download
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2504
CVSv3: 7.5
Severity: High
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

A vulnerability was found in QNAP QES 2.0 that allows authenticated attacker to escape the webroot and download file of the NAS. The vulnerability resides in the download functionality.

CVE-2020-2503 – QNAP QES

Vulnerability Description: Stored XSS via Arbitrary File upload
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2503
CVSv3: 5.4
Severity: Medium
Credits
: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

A vulnerability was found in QNAP QES 2.0 that If exploited, vulnerability could allow remote attackers to inject malicious code in File Station. The vulnerability resides in the upload functionality that doesn’t perform the correct sanitization.

CVE-2019-19994 - Selesta Visual Access Manager

Vulnerability Description: OS Command Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19994
CVSv3: 9.8
Severity: Critical
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary operating system command by injecting a HTTP/POST parameter on the PHP Web page.

CVE-2019-19993 - Selesta Visual Access Manager

Vulnerability Description: Multiple Full Path Disclosure Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19993
CVSv35.3
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

This server is configured to display PHP error messages. One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.

CVE-2019-19992 - Selesta Visual Access Manager

Vulnerability Description: Arbitrary file read Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19992
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be read. Thus, an attacker can manipulate the file name to access any sensitive file within the filesystem.

CVE-2019-19991 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS reflected Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19991
CVSv3: 5.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Reflected (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into almost any HTTP/GET-POST parameter which reflect the user input without sanitization.

CVE-2019-19990 - Selesta Visual Access Manager

Vulnerability Description: Multiple XSS Stored Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19990
CVSv35.4
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-site scripting Stored (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into some HTTP/GET-POST parameter which reflect the user input stored on the system. 

CVE-2019-19989 - Selesta Visual Access Manager

Vulnerability Description: Multiple Broken Access Control Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19989
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Access control (authorization) determines which users can interact with systems and resources within the Web interface. When access control is broken, users could send unauthorized requests to the application. Unauthorized access to system functionality and resources creates an exploitable weakness that opens your company to harmful and potentially expensive outcomes.

CVE-2019-19988 – Selesta Visual Access Manager

Vulnerability Description: Arbitrary file write Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19988
CVSv38.8
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

A user with valid credentials is able to create and write XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be created. Thus, an attacker can manipulate the file name to create any type of file within the filesystem.

CVE-2019-19987 - Selesta Visual Access Manager

Vulnerability Description: Multiple Cross-Site request forgery pre authentication
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19987
CVSv36.5
Severity: Medium
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which he is currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. This vulnerability has been found in several page. An attacker can exploit it in functionalities such as change password, add user, add privileges and so on.

CVE-2019-19986 - Selesta Visual Access Manager

Vulnerability Description: SQL Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-19986
CVSv37.5
Severity: High
Credits:
 Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.

An attacker without authentication is able to execute arbitrary SQL statements by injecting the HTTP/POST-GET parameter in the PHP Web page.

CVE-2019-19456 - WOWZA Streaming Engine

Vulnerability Description: Pre-Auth Cross Site Scripting
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19456
CVSv3: 6.1
Severity: Medium

Credits: Francesco Giordano, Massimiliano Brolli

A Reflected XSS was found in the server selection box inside the login page at:
http://[host]/enginemanager/loginfailed.html

CVE-2019-19455 - WOWZA Streaming Engine

Vulnerability Description: Local Privilege Escalation
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19455
CVSv3: 7.8
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

A local privilege escalation was found in the Linux Version of the server. A user can write arbitrary command in every file in /usr/local/WowzaStreamingEngine/manager/bin/ since they are writable by anyone and executed at boot or stop of the server as root.

CVE-2019-19454 - WOWZA Streaming Engine

Vulnerability Description: Arbitrary File Download
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19454
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli

An arbitrary file download was found in the "Download Log" functionality at
https://[host]/enginemanager/server/logs/download

CVE-2019-19453 - WOWZA Streaming Engine

Vulnerability Description: Stored XSS
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19453
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli

An authenticated user, with access to the proxy license editing is able insert a malicious payload that will be triggered in the main page of server settings.

CVE-2019-17406 - NOKIA IMPACT

Vulnerability Description: Path Traversal
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17406
CVSv3: 5.3
Severity: Medium
Credits:
 Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to save file in arbitrary positions on the filesystem. This vulnerability was found in a feature of the system that allows to load multiple devices by uploading a properly formatted CSV file.

The filename parameter is vulnerable to a path traversal vulnerability, indeed naming the file as a relative path an attacker is able to save it in an arbitrary position on the filesystem (e.g. ../../../../../../../tmp/myfile.csv)

Click here to enlarge the image.

CVE-2019-17405 - NOKIA IMPACT

Vulnerability Description: Cross Site Scripting
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17405
CVSv36.1
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

A Reflected Self Reflected Cross Site Scripting was found in the Manual Page of Nokia CDP at https://[host]/ui/help/en_US/[redacted]ConsoleHelp/index

The payload used is shown on the left (click here to enlarge the image).

There is a filter in the input that removes the . but we managed to bypass it accessing cookie as key of document.

CVE-2019-17404 - NOKIA IMPACT

Vulnerability Description: Full Path Disclosure
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17404
CVSv34.3
Severity: Medium
Credits
: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to leak the full path of the installation. In particular, the massive device upload feature (devceimport) releases detailed information about the location where the files are saved within the application filesystem.

If the path traversal is exploited to point to a non-existent path the application will throw an unhandled exception, leaking the full path of where the files are saved (Full path disclosure)

Click here to enlarge image.

CVE-2019-17403 - NOKIA IMPACT

Vulnerability Description: Unrestricted File Upload
Software Version: NOKIA IMPACT < 18A
NISThttps://nvd.nist.gov/vuln/detail/CVE-2019-17403
CVSv3: 8.8
Severity: High

Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli

An authenticated user with access to the CDP component of NOKIA IMPACT is able to upload files with arbitrary extensions.

The deviceImport function parses every file received with a csv_parse function. We managed to load a non-csv file adding at the beginning of it the following line followed by our payload.

We uploaded PHP Webshell in a path served by Apache (in our case /opt/[redacted]/5/) and got code execution as apache user.

Click here to enlarge image.