Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Zenoss Core contains multiple vulnerabilities
Informations
Name VU#449452 First vendor Publication 2014-12-05
Vendor VU-CERT Last vendor Modification 2014-12-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#449452

Zenoss Core contains multiple vulnerabilities

Original Release date: 05 Dec 2014 | Last revised: 08 Dec 2014

Overview

The Zenoss Core application, server, and network management platform software contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code.

Description

The Zenoss Core application, server, and network management platform software version 4.2.4 contains a collection of vulnerabilities that impacts several aspects of the software. A brief summary of the types of vulnerabilities present is provided below.

    CVE-2014-6253: Systemic Cross Site Request Forgery
    CVE-2014-6254: Systemic Stored Cross-Site Scripting in Zenoss Attributes
    CVE-2014-6254: Cross Site Scripting from Exposed Helper Methods
    CVE-2014-6255: Open Redirect in Login Form
    CVE-2014-6256: Authorization Bypass Allows Moving Arbitrary Files
    CVE-2014-6257: Systemic Authorization Bypasses
    CVE-2014-6258: Denial of Service from User-Supplied Regular Expression
    CVE-2014-6259: Denial of Service via XML Recursive Entity Expansion ("Billion Laughs")
    CVE-2014-6260: Page Command can be Edited Without Password Re-Entry
    CVE-2014-6261: Remote Code Execution via Version Check
    CVE-2014-6262: Denial of Service via RRDtool Format String Vulnerability (this vulnerability is due to RRDtool)
    CVE-2014-9245: Stack Trace Contains Internal URLs and Other Sensitive Information
    CVE-2014-9246: Cross-Site Request Forgery Leads to ZenPack Installation
    CVE-2014-9246: Sessions Do Not Expire
    CVE-2014-9247: User Enumeration via User Manager
    CVE-2014-9248: No Password Complexity Requirements
    CVE-2014-9249: Exposed Services in Default Configuration
    CVE-2014-9250: Cookie Authentication is Insecure
    CVE-2014-9251: Weak Password Hashing Algorithm
    CVE-2014-9252: Plaintext Password Stored in Session on Server


For more details, please see this spreadsheet, specifically the "Impact Description" column. Included in the linked spreadsheet are Zenoss tracking numbers for each issue.

The CVSS score below is based on CVE-2014-9246.

Impact

The most severe issues (CVE-2014-6261 and CVE-2014-9246) allow remote code execution and installation of arbitrary packages, allowing full compromise of the system running Zenoss. For more details, please see this spreadsheet, specifically the "Impact Description" column.

Solution

Apply an update manually

CVE-2014-6255 and CVE-2014-9246 (Sessions Do Not Expire) are resolved in the latest Zenoss Core 4.2.5 SP. Manually download the update as described below ("Disable automatic update check"), and apply the update as soon as possible.

Zenoss plans for most of the rest of the issues to be addressed in a future maintenance release of Zenoss Core 5.

For more information, please see this spreadsheet; specifically the "Vendor Status" column which provides the vendor's response for the issue, and the "Zenoss Bug ID" column which provides Zenoss's internal tracking number for the issue.

Use SSL/HTTPS

CVE-2014-9250 can be mitigated by enabling SSL/HTTPS to better protect cookie-based authentication data. Please see Zenoss's recommendation in this spreadsheet.

Disable automatic update check

CVE-2014-6261 can be mitigated by unchecking "Check For Updates" in the Zenoss Versions page in the web interface. Note that you can also manually check for updates in the web interface, which triggers the same actions, and is therefore also vulnerable. Instead, users should check the Zenoss website for new versions, rather than using the in-app check. To avoid CSRF exploitation, users should also use a separate browser (or profile) for Zenoss, that is not shared with any other browsing.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ZenossAffected12 Nov 201403 Dec 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.5AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal7.7E:POC/RL:U/RC:C
Environmental7.7CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing

Credit

Thanks to Ryan Koppenhaver and Andy Schmitz of Matasano Security for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2014-6253CVE-2014-6254CVE-2014-9245CVE-2014-6255CVE-2014-6261CVE-2014-6256CVE-2014-9246CVE-2014-9247CVE-2014-9248CVE-2014-6257CVE-2014-9249CVE-2014-9250CVE-2014-6258CVE-2014-6260CVE-2014-9251CVE-2014-6259CVE-2014-6262CVE-2014-9252
  • Date Public:05 Dec 2014
  • Date First Published:05 Dec 2014
  • Date Last Updated:08 Dec 2014
  • Document Revision:43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/449452

CWE : Common Weakness Enumeration

% Id Name
24 % CWE-200 Information Exposure
18 % CWE-264 Permissions, Privileges, and Access Controls
12 % CWE-399 Resource Management Errors
12 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
12 % CWE-255 Credentials Management
6 % CWE-134 Uncontrolled Format String (CWE/SANS Top 25)
6 % CWE-94 Failure to Control Generation of Code ('Code Injection')
6 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
6 % CWE-77 Improper Sanitization of Special Elements used in a Command ('Command Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 21
Os 1

Snort® IPS/IDS

Date Description
2017-08-23 Zenoss call home remote code execution attempt
RuleID : 43634 - Revision : 2 - Type : SERVER-WEBAPP

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-12-16 17:32:14
  • Multiple Updates
2014-12-15 21:28:29
  • Multiple Updates
2014-12-08 17:23:11
  • Multiple Updates
2014-12-05 21:25:28
  • First insertion