lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 20 Oct 2020 07:36:26 -0400
From: "Ryan Wincey" <contact@...urifera.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] LISTSERV Maestro Remote Code Execution Vulnerability

Document Title:

===============

LISTSERV Maestro Remote Code Execution Vulnerability

 

References (Source):

====================

https://www.securifera.com/advisories/sec-2020-0001/

https://www.lsoft.com/products/maestro.asp

 

Release Date:

=============

2020-10-20

 

Product & Service Introduction:

===============================

LISTSERV Maestro is an enterprise email marketing solution and allows you to
easily engage your subscribers with targeted, intelligence-based opt-in
campaigns. It offers easy tracking, reporting and list segmentation in a
complete email marketing and analytics package.

 

 

Vulnerability Information:

==============================

Class: CWE-917 : Expression Language (EL) Injection

Impact: Remote Code Execution

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2010-1870

 

Vulnerability Description:

==============================

A unauthenticated remote code execution vulnerability was found in the
LISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems
from a known issue in struts, CVE-2010-1870, that allows for code execution
via OGNL Injection. This vulnerability has been confirmed to be exploitable
in both the Windows and Linux version of the software and has existed in the
LISTSERV Maestro software since at least version 8.1-5.  As a result, a
specially crafted HTTP request can be constructed that executes code in the
context of the web application. Exploitation of this vulnerability does not
require authentication and can lead to root level privilege on any system
running the LISTServ Maestro services.

 

Vulnerability Disclosure Timeline:

==================================

2020-10-12: Contact Vendor and Request Security Contact Info From Support
Team

2020-10-12: Report Vulnerability Information to Vendor

2020-10-12: Vendor Confirms Submission

2020-10-13: Vendor Releases Patch

2020-10-13: Securifera Confirms With Vendor that the Patch Mitigates
CVE-2010-1870 but suggest upgrading vulnerable struts library

2020-10-15: Vendor Approves Public Disclosure

 

 

Affected Product(s):

====================

LISTSERV Maestro 9.0-8 and prior

 

Severity Level:

===============

High

 

Proof of Concept (PoC):

=======================

A proof of concept will not be provided at this time.

 

Solution - Fix & Patch:

=======================

Temporary patch:
https://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip

 

Security Risk:

==============

The security risk of this remote code execution vulnerability is estimated
as high. (CVSS 10.0)

 

Credits & Authors:

==================

Securifera, Inc - b0yd (@rwincey)

 

Disclaimer & Information:

=========================

The information provided in this advisory is provided as it is without any
warranty. Securifera disclaims all 

warranties, either expressed or implied, 

including the warranties of merchantability and capability for a particular
purpose. Securifera is not liable in any 

case of damage, 

including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Securifera 

or its suppliers have been advised 

of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential 

or incidental damages so the foregoing 

limitation may not apply. We do not approve or encourage anybody to break
any licenses, policies, or hack into any 

systems.

 

Domains: www.securifera.com

Contact: contact [at] securifera [dot] com

Social: twitter.com/securifera

 

Copyright C 2020 | Securifera, Inc


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists