Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Aternity version 9 vulnerable to cross-site scripting and remote code execution
Informations
NameVU#706359First vendor Publication2016-09-28
VendorVU-CERTLast vendor Modification2016-09-28
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score9.3Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#706359

Aternity version 9 vulnerable to cross-site scripting and remote code execution

Original Release date: 28 Sep 2016 | Last revised: 28 Sep 2016

Overview

The Aternity webserver, version 9 and prior, is reportedly vulnerable to cross-site scripting (XSS) on several web pages, and remote code execution via inclusion of untrusted functionality by default due to improper authentication before execution.

Description

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-5061

Reportedly, the Aternity HTTPAgent, MacAgent, getExternalURL and retrieveTrustedUrl pages are susceptible to Cross-site scripting (XSS). An attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server.

CWE-829: Inclusion of Functionality from Untrusted Control Sphere - CVE-2016-5062

Reportedly, the Aternity server by default allows remote loading of Java MBeans using the getMBeansFromURL method without proper authentication due to a misconfiguration of JMX RMI services. A remote attacker may utilize this misconfiguration to register attacker-controlled MBeans, which are Java classes that can invoke Java language functionality including system commands, resulting in remote code execution with SYSTEM privileges.

Note that Aternity provides recommended firewall settings which would block exploit of this vulnerability; only misconfigured servers would be directly vulnerable.

The vulnerable configuration has been documented by Oracle for some time. As shown in the official documents:

    To disable both password authentication and SSL (namely to disable all security), you should set the following system properties when you start the Java VM.
    com.sun.management.jmxremote.authenticate=false
    com.sun.management.jmxremote.ssl=false
    Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.
    Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.

It is believed that Aternity version 9 and prior are affected by this vulnerability, but the CERT/CC has not received confirmation from the vendor.

Impact

A remote unauthenticated attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server, or execute code on the server with SYSTEM privileges.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. However, the following workarounds are recommended:

Restrict port 14777

Restricting inbound remote access to Aternity via port 14777 mitigates this issue.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AternityUnknown09 Aug 201613 Sep 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal7.6E:POC/RL:W/RC:UR
Environmental5.7CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/80.html
  • http://cwe.mitre.org/data/definitions/829.html

Credit

Thanks to Matthew Benton and Richard Kelley for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-5061CVE-2016-5062
  • Date Public:28 Sep 2016
  • Date First Published:28 Sep 2016
  • Date Last Updated:28 Sep 2016
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/706359

CWE : Common Weakness Enumeration

%idName
50 %CWE-669Incorrect Resource Transfer Between Spheres
50 %CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2016-09-29 21:26:11
  • Multiple Updates
2016-09-29 17:25:41
  • Multiple Updates
2016-09-28 21:23:24
  • First insertion