PowerFolder Java Object Deserialization RCE

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote PowerFolder server is affected by a remote code execution
vulnerability.

Description :

The remote PowerFolder server is affected by a remote code execution
vulnerability due to unsafe deserialize calls of unauthenticated Java
objects to the Apache Commons Collections (ACC) library. An
unauthenticated, remote attacker can exploit this, by sending
specially crafted Java objects to the HTTP interface, to execute
arbitrary code on the target host.

See also :

http://www.nessus.org/u?e0204f30
https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5
http://lab.mogwaisecurity.de/advisories/MSA-2016-01/

Solution :

Upgrade to PowerFolder version 10.5.394 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 91816 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now