Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Up.time agent for Windows contains multiple vulnerabilities
Informations
Name VU#377260 First vendor Publication 2015-12-08
Vendor VU-CERT Last vendor Modification 2015-12-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#377260

Up.time agent for Windows contains multiple vulnerabilities

Original Release date: 08 Dec 2015 | Last revised: 08 Dec 2015

Overview

The Up.time client for Windows is vulnerable to an format string attack as well as a buffer overflow, and may allow unauthenticated users to perform certain commands.

Description

CWE-134: Uncontrolled Format String - CVE-2015-2894

For version 6.0 and 7.2, an unauthenticated attacker on the network may send either the "%n" or "%s" format parameters will cause the application to crash.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-2895

For version 7.4, an unauthenticated attacker on the network sending commands with an input that is larger than 1024 bytes will crash the application. Remote code execution is likely but currently unproven.

CWE-200: Information Exposure - CVE-2015-2896

For versions 7.6 and prior, an unauthenticated attacker on the network may send built-in commands to the port that the Up.time agent is using. These commands are not authenticated, and therefore the attacker can learn information such as the version of Up.time running, details about the underlying operating system running Up.time, details about other running processes on the system, and Windows operating system event log information.

Impact

A remote unauthenticated user may be able to perform a denial of service on Up.time, or obtain system information for future use. It may also be possible to execute code.

Solution

Apply an update

Idera has released Up.time version 7.6 which addresses CVE-2015-2894 and CVE-2015-2895. Affected users are encouraged to update as soon as possible.

The remaining issue, CVE-2015-2896, will be fully addressed in a future release but may be mitigated with the following actions:

Check configuration

According to Idera, affected users may also use the following configuration settings to mitigate these issues:

1. All agents run in a read only mode by default, where they can only poll metrics.
2. In order to use custom scripts or trigger recovery actions, you need to set a password on the agent, or add commands to the .uptmpasswd file for the linux agent.
3. Agents communication can be encrypted with SSL by using various SSL Tunneling/Proxy Utilities (openSSL, etc). KB articles cover the specifics for implementing with Stunnel on various platforms.
4. Agents running under xinet.d can also be secured at the service level by restricting incoming connections to only accept connections from the Monitoring Station, or limit the total number of connections, etc.
5. Disable Agent Commands you don't use either via the Agent Console or editing conf/agent_commands.txt.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
IderaAffected29 May 201515 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.4AV:N/AC:L/Au:N/C:N/I:P/A:P
Temporal5.5E:POC/RL:U/RC:UR
Environmental4.1CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://docs.uptimesoftware.com/pages/viewpage.action?pageId=4555083

Credit

Thanks to Matthew Benton and Richard Kelley for reporting this issue to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-2894CVE-2015-2895CVE-2015-2896
  • Date Public:08 Dec 2015
  • Date First Published:08 Dec 2015
  • Date Last Updated:08 Dec 2015
  • Document Revision:66

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/377260

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-200 Information Exposure
33 % CWE-134 Uncontrolled Format String (CWE/SANS Top 25)
33 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 7

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-06-29 01:31:21
  • Multiple Updates
2016-01-01 00:28:01
  • Multiple Updates
2015-12-31 09:27:32
  • Multiple Updates
2015-12-08 17:23:28
  • First insertion