FreeBSD : RT -- multiple vulnerabilities (3a429192-c36a-11e2-97a9-6805ca0b3d42)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Thomas Sibley reports :

We discovered a number of security vulnerabilities which affect both
RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.17 and 4.0.13
to resolve these vulnerabilities, as well as patches which apply atop
all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches
include the following :

RT 4.0.0 and above are vulnerable to a limited privilege escalation
leading to unauthorized modification of ticket data. The DeleteTicket
right and any custom life cycle transition rights may be bypassed by
any user with ModifyTicket. This vulnerability is assigned
CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses
semi-predictable names when creating tempfiles. This could possibly be
exploited by a malicious user to overwrite files with permissions of
the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components
(without control of arguments) for users who can see administration
pages. This could be used by a malicious user to run private
components which may have negative side-effects. This vulnerability is
assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback
components. Though no callback components ship with RT, this could be
used to exploit an extension or local callback which uses the
arguments passed to it insecurely. This vulnerability is assigned
CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via
attachment filenames. The vector is difficult to exploit due to
parsing requirements. Additionally, RT 4.0.0 and above are vulnerable
to XSS via maliciously-crafted 'URLs' in ticket content when RT's
'MakeClicky' feature is configured. Although not believed to be
exploitable in the stock configuration, a patch is also included for
RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned
CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited
to the value of the Content-Disposition header. Injection of other
arbitrary response headers is not possible. Some (especially older)
browsers may allow multiple Content-Disposition values which could
lead to XSS. Newer browsers contain security measures to prevent this.
Thank you to Dominic Hargreaves for reporting this vulnerability. This
vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in
outgoing email generated by RT. The vectors via RT's stock templates
are resolved by this patchset, but any custom email templates should
be updated to ensure that values interpolated into mail headers do not
contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using
the file-based session store, Apache::Session::File. RT's default
session configuration only uses Apache::Session::File for Oracle. RT
instances using Oracle may be locally configured to use the
database-backed Apache::Session::Oracle, in which case sessions are
never re-used. The extent of session re-use is limited to information
leaks of certain user preferences and caches, such as queue names
available for ticket creation. Thank you to Jenny Martin for reporting
the problem that lead to discovery of this vulnerability. This
vulnerability is assigned CVE-2013-3374.

See also :

http://www.nessus.org/u?e79fb8ab
http://www.nessus.org/u?4c8a91ea
http://www.nessus.org/u?0de2bf27
http://www.nessus.org/u?e6dadb8a

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 66581 ()

Bugtraq ID:

CVE ID: CVE-2012-4733
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now