F5 Networks rsync RCE

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote host is running a rsync daemon that allows a user to upload
arbitrary files.

Description :

The rsync daemon on the remote F5 Networks host is affected by an
authentication bypass vulnerability when configured in failover mode.
An unauthenticated, remote attacker can exploit this, via a cmi
request to the ConfigSync IP address, to read or write arbitrary
files.

Nessus was able to confirm that a module on the remote rsync daemon
allows writing files to the root of the file system. An attacker can
overwrite '/root/.ssh/authorized_keys' and obtain ssh access, allowing
the execution of arbitrary code with the privileges of the root user.

See also :

http://www.nessus.org/u?c5d7c6b5
http://www.nessus.org/u?7c390e25

Solution :

Disable the rsync daemon.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 78427 ()

Bugtraq ID: 69461

CVE ID: CVE-2014-2927

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now