IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities

Critical Nessus Plugin ID 84401

Synopsis

The remote IBM Storwize device is affected by multiple vulnerabilities.

Description

The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities :

- A denial of service vulnerability exists due to a flaw in the bundled version of Apache HTTP Server. A remote attacker can exploit this, via partial HTTP requests, to cause a daemon outage, resulting in a denial of service condition. (CVE-2007-6750)

- An HTTP request smuggling vulnerability exists due to a flaw in the bundled version of Apache Tomcat; when an HTTP connector or AJP connector is used, Tomcat fails to properly handle certain inconsistent HTTP request headers. A remote attacker can exploit this flaw, via multiple Content-Length headers or a Content-Length header and a 'Transfer-Encoding: chunked' header, to smuggle an HTTP request in one or more Content-Length headers. (CVE-2013-4286)

- A denial of service vulnerability exists in the bundled version of Apache Tomcat due to improper processing of chunked transfer coding with a large amount of chunked data or whitespace characters in an HTTP header value within a trailer field. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2013-4322)

- A denial of service vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an integer overflow condition exists in the parseChunkHeader() function in ChunkedInputFilter.java. A remote attacker can exploit this, via a malformed chunk size that is part of a chunked request, to cause excessive consumption of resources, resulting in a denial of service condition. (CVE-2014-0075)

- A remote code execution vulnerability exists due to a flaw in the bundled version of Apache Struts. A remote attacker can manipulate the ClassLoader via the class parameter, resulting in the execution of arbitrary Java code. (CVE-2014-0094)

- An XML External Entity (XXE) injection vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an incorrectly configured XML parser accepts XML external entities from an untrusted source via XSLT.
A remote attacker can exploit this, by sending specially crafted XML data, to gain access to arbitrary files.
(CVE-2014-0096)

- An integer overflow condition exists in the bundled version of Apache Tomcat. A remote attacker, via a crafted Content-Length HTTP header, can conduct HTTP request smuggling attacks. (CVE-2014-0099)

- An information disclosure vulnerability exists due to a flaw in the bundled version of Apache Tomcat. Tomcat fails to properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet. A remote attacker can exploit this, via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, to read arbitrary files. (CVE-2014-0119)

- A flaw exists in a bundled version of Samba due to a flaw in the vfswrap_fsctl() function that is triggered when responding to FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information from process memory. (CVE-2014-0178)

- Multiple flaws exist in the bundled version of Mozilla Firefox that allow a remote attacker to execute arbitrary code. (CVE-2014-1555, CVE-2014-1556, CVE-2014-1557)

- An information disclosure vulnerability exists due to the chkauth password being saved in plaintext in the audit log. A local attacker can exploit this to gain administrator access. (CVE-2014-3077)

- A denial of service vulnerability exists due to a flaw in the bundled version of Samba. An authenticated, remote attacker can exploit this, via an attempt to read a Unicode pathname without specifying the use of Unicode, to cause an application crash. (CVE-2014-3493)
- A security bypass vulnerability exists due to an unspecified flaw. A remote attacker can exploit this flaw to reset the administrator password to its default value via a direct request to the administrative IP address. Note that this vulnerability only affects the 1.4.x release levels. (CVE-2014-4811)

Solution

Upgrade to IBM Storwize version 1.4.3.4 / 1.5.0.2 or later.

See Also

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004834

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004836

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004837

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004854

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004860

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004861

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004867

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004869

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004835

Plugin Details

Severity: Critical

ID: 84401

File Name: ibm_storwize_1_5_0_2.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 2015/06/26

Updated: 2018/07/12

Dependencies: 80963

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/h:ibm:storwize_unified_v7000, cpe:/h:ibm:storwize_v7000, cpe:/h:ibm:storwize_v5000, cpe:/h:ibm:storwize_v3700, cpe:/h:ibm:storwize_v3500, cpe:/h:ibm:san_volume_controller, cpe:/a:ibm:storwize_v7000_unified_software, cpe:/a:ibm:storwize_v7000_software, cpe:/a:ibm:storwize_v5000_software, cpe:/a:ibm:storwize_v3700_software, cpe:/a:ibm:storwize_v3500_software, cpe:/a:ibm:san_volume_controller_software

Required KB Items: Host/IBM/Storwize/version, Host/IBM/Storwize/machine_major, Host/IBM/Storwize/display_name

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/07/15

Vulnerability Publication Date: 2007/01/03

Exploitable With

Core Impact

Metasploit (Apache Struts ClassLoader Manipulation Remote Code Execution)

Reference Information

CVE: CVE-2007-6750, CVE-2013-4286, CVE-2013-4322, CVE-2014-0075, CVE-2014-0094, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0178, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-3077, CVE-2014-3493, CVE-2014-4811

BID: 21865, 65767, 65773, 65999, 67667, 67668, 67669, 67671, 67686, 68150, 68814, 68822, 68824, 69771, 69773

CERT: 719225