Novell ZENworks Control Center File Upload Remote Code Execution

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

An application on the remote host is affected by a remote code
execution vulnerability.

Description :

The installed version of Novell ZENworks Control Center has a flaw
with authentication checking on '/zenworks/jsp/index.jsp' that can
allow a remote, unauthenticated attacker to upload arbitrary files and
execute them with SYSTEM privileges.

See also :

http://www.novell.com/support/kb/doc.php?id=7011812
http://www.zerodayinitiative.com/advisories/ZDI-13-049/

Solution :

Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a
Monthly Update 1 for 11.2.3 installs.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 65722 ()

Bugtraq ID: 58668

CVE ID: CVE-2013-1080

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now