lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSNtTZNXHsr5Ltb1Zx8WTmTE_tm4a2XH+eahYiPxAzqQ0A@mail.gmail.com>
Date: Sun, 10 May 2020 14:29:36 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Two vulnerabilities in Oracle’s iPlanet Web Server (CVE-2020-9315 and CVE-2020-9314)

(Original blog post here:
https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/)

SUMMARY

Two vulnerabilities were discovered in the web administration console
of Oracle’s iPlanet Web Server which allow for sensitive data exposure
and limited injection. The first issue allows read-only access to any
page within the administration console without authentication,
resulting in sensitive data exposure. The second issue allows for
injection of external images which can be used for phishing and social
engineering.

These vulnerabilities have been reported to the vendor (Oracle) but
the vendor will not be issuing security patches because the affected
product is no longer supported. Users are encouraged to implement
other controls to mitigate these vulnerabilities such as restricting
network access to the administration console from the Internet or
switching to a supported platform.

Version 7 has been tested and found to be vulnerable, however, it is
unknown whether earlier versions are affected. Latest versions of
Oracle Glassfish and Eclipse Glassfish application server (v5) share
common code with the affected product, have been tested and do not
seem to be vulnerable. MITRE has assigned CVE-2020-9315 to track the
sensitive data exposure issue and CVE-2020-9314 to track the injection
issue.

ISSUE #1 – SENSITIVE DATA EXPOSURE / ADMIN GUI BYPASS (CVE-2020-9315)

A vulnerability exists in the web administration console of Oracle’s
iPlanet Web Server which makes it possible to read information from
any page within the console without authentication. This can result in
sensitive data exposure of configuration information about the server
including encryption keys, JVM configuration and other data. We did
not perform testing to see whether this vulnerability allows for
changes to be made within the console.

This is accomplished by replacing any URL for any page within the
administration console as follows:
- http://%5Btarget%5D/admingui/admingui/*
with:
- http://%5Btarget%5D/admingui/version/*

To replicate, try the following URLs:
- http://%5Btarget%5D/admingui/version/
- http://%5Btarget%5D/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2

ISSUE #2 – IMAGE INJECTION IN THE ADMIN GUI (CVE-2020-9314)

The “productNameSrc” parameter in the administration console allows
for injection of external images. When used in combination with the
“productNameHeight” and “productNameWidth” parameters, this can be
used to inject an external image into a site to facilitate phishing.
This is due to an incomplete fix for CVE-2012-0516. The earlier fix
added validation against XSS issues but didn’t add validation to make
sure an external image is not loaded.

To replicate, try the following URLs:
- http://%5Btarget%5D/admingui/version/Version?&productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500
- http://%5Btarget%5D/admingui/version/Masthead.jsp?productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500

VENDOR RESPONSE

Both vulnerabilities have been reported to the vendor (Oracle),
however the vendor doesn’t plan to issue security patches since the
product is no longer supported, as per the following responses:

"Oracle iPlanet Web Server 7.0.x is no longer supported. Please see
the life time support document."

And:

"Thank you for your report regarding Oracle iPlanet Web Server 7.0.x,
which is no longer supported by Oracle. Since Oracle no longer
supports Oracle iPlanet Web Server 7.0.x, the policy is that there is
no coordinated disclosure involving Oracle. Reporters who discover
security vulnerabilities in products that Oracle no longer supports
are free to disclose vulnerability details without Oracle
participation. Oracle does not assign CVEs for products that are no
longer supported. That means, if you want a CVE assigned you will need
to contact Mitre."

CERT/CC concurred with the vendor’s assessment.

MITRE has assigned CVE-2020-9315 to track the sensitivity data
exposure issue, and CVE-2020-9314 to track the injection issue.

AFFECTED VERSIONS AND MITIGATIONS

Version 7 has been tested and found to be vulnerable, however, it is
unknown whether earlier versions are affected. Latest versions of
Oracle Glassfish and Eclipse Glassfish application server (v5) share
common code with the affected product but have been tested and do not
seem to be vulnerable.

Users are encouraged to implement other controls to mitigate these
vulnerabilities such as restricting network access to the
administration console from the Internet or switching to a supported
platform.

REFERENCES

CERT/CC ID: VU#343851
CVEs: CVE-2020-9315 and CVE-2020-9314
Oracle lifetime support documentation: see
[https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf]
Related vulnerability regarding XSS: CVE-2012-0516 and advisory
[http://www.pwn2hack.com/2012/04/oracle-iplanet-web-server-709-multiple.html]

CREDITS

We would like to thank Synack for assistance with the disclosure
process. Text of the advisory was written by Y. Shafranovich.

TIMELINE

2020-01-19: Initial discovery
2020-01-24: Initial disclosure sent to vendor; rejected since product
is not supported
2020-01-24: Clarification questions sent to the vendor
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE
assignment
2020-01-29: CVEs requested from MITRE
2020-02-07: Initial report sent to CERT/CC
2020-02-17: CVE request rejected by MITRE, resubmitted with more data
2020-02-18: Response received from CERT/CC
2020-02-20: CVE assignments received from MITRE
2020-02-20: CVEs and disclosure plans communicated to the vendor
2020-05-10: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ