Tenable Research: February and March Vulnerability Disclosure Roundup

EMC VASA Virtual Appliance Default Credentials and Arbitrary File Upload

CVE ID: CVE-2018-1216, CVE-2018-1215

Nessus Plugin ID: 106849

Tenable Research Advisory: TRA-2018-03

Risk Factor: Critical

What do you need to know?

Tenable Research has discovered two vulnerabilities in the EMC VASA Virtual Appliance SE web application. The first vulnerability is a default account. The default account does not have access to the web UI, but exploitation permits an attacker to obtain a valid session ID to execute further commands. The second vulnerability permits an authenticated attacker to upload an arbitrary file to any location on the web server.

What’s the attack vector?

Exploitation of the default credentials requires only unauthenticated network access. Even though the default credentials do not have privileges for the web UI, after authenticating, the attacker can extract a valid session ID from a local cookie and use it to execute remote commands.

What’s the business impact?

Combining both vulnerabilities can permit an attacker to gain full unauthorized access to the system.

What’s the solution?

EMC has released a software update and advisory. Affected users must apply the patch as soon as possible. Tenable customers can assess the vulnerabilities using Plugin ID 106849.

Micro Focus Operations Orchestration Information Disclosure and Remote Denial-of-Service Vulnerabilities

CVE ID: CVE-2018-6490

Nessus Plugin ID: 107094

Tenable Research Advisory: TRA-2018-05

Risk Factor: High

What do you need to know?

Tenable Research has discovered information disclosure and denial-of-service vulnerabilities in Micro Focus Operations Orchestration version 10.X. These can be used to disclose sensitive runtime information and shut down the JMiniX JMX console used for administrative web-based access. You can read a full analysis here.

What's the attack vector?

Exploitation requires remote unauthenticated network access and is trivial to exploit.

What's the business impact?

Malicious attackers can gather sensitive runtime information for reconnaissance. Even worse, a malicious attacker can remotely shut down the JMiniX JMX console that provides access to the web user interface. Micro Focus Operations Orchestration is used by IT and DevOps operation teams to automate IT processes (e.g., incident and disaster recovery and hybrid cloud provisioning and configuration).

What's the solution?

Micro Focus has released a software update and advisory. Affected users must apply the patch as soon as possible. Tenable customers can assess the vulnerability using Plugin ID 107094.

Check Point Gaia OS Privilege Escalation Vulnerability

CVE ID: -

Nessus Plugin ID:107072

Tenable Research Advisory: TRA-2018-04

Risk Factor: Medium

What do you need to know?

Tenable Research has discovered a Privilege Escalation vulnerability in Check Point’s Gaia OS, versions R77.20, R77.30 and R80.10, deployed on Check Point’s Security Gateway, Security Management and Scalable Platforms Appliances. The vulnerability can be used by a malicious user to execute arbitrary bash shell commands.

What’s the attack vector?

Exploitation requires an authenticated user session. Arbitrary bash shell commands can be executed with the proper formatting despite a restricted shell.

What’s the business impact?

The business impact is considered Low. Exploitation requires a malicious insider, or the theft or phishing of credentials. Arbitrary commands require careful crafting to execute successfully.

What’s the solution?

Check Point has released a software update and advisory. Affected users should apply the patch as soon as possible. Tenable customers can assess the vulnerability using Plugin ID 107072.

Cisco IOS and IOS XE Multiple Memory Corruption Vulnerabilities

CVE ID: CVE-2018-0172, CVE-2018-0173, CVE-2018-0174

Nessus Plugin ID: -

Tenable Research Advisory: TRA-2018-06

Risk Factor: High

What do you need to know?

Tenable Research has discovered denial-of-service vulnerabilities in the DHCP relay agent in Cisco’s IOS and IOS-XE operating systems.

What's the attack vector?

The attacks are performed by sending malicious DHCP requests to the relay agent on the router.

What's the business impact?

The business impact is medium. An attacker could use this attack to stop clients from obtaining IP addresses.

What's the solution?

Cisco has released software updates and an advisory for each vulnerability (see below). Affected users should patch their systems as soon as possible.

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3