Bài liên quan
SEC Consult Vulnerability Lab Security Advisory < 20140716-3 > title: Multiple critical vulnerabilities product: Bitdefender GravityZone vulnerable version: <5.1.11.432 fixed version: >=5.1.11.432 impact: critical homepage: http://www.bitdefender.com found: 2014-05-22 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor description:-------------------Bitdefender GravityZone lets enterprises control and protect the heterogeneousenvironments of today. The solution combines highly optimized virtualizationaware security with leading detection technologies and a fresh, but proven,architecture. It empowers administrators with features adapted to reduce thedaily security hassle and eliminate the need for point solutions with unifiedprotection across virtualized, physical, and mobile endpoints. Unlike othersolutions that bolt-on modules to an aging architecture, the GravityZoneControl Center dashboard has been designed specifically to unify monitoringand security management in a single simple and accessible interface.Source: http://download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdfBusiness recommendation:------------------------Attackers are able to completely compromise the Bitdefender GravityZonesolution as they can gain system and database level access.Furthermore attackers can manage all endpoints.The Bitdefender GravityZone can be used as an entry point into the targetinfrastructure (lateral movement, privilege escalation).It is highly recommended by SEC Consult not to use this software until athorough security review has been performed by security professionals and allidentified issues have been resolved.Vulnerability overview/description:-----------------------------------1) Unauthenticated local file disclosure (Web Console, Update Server)Unauthenticated users can read arbitrary files from the filesystem with theprivileges of the "nginx" operating system user. These files includeconfiguration files containing sensitive information such as clear textpasswords which can be used in further attacks.Separate vulnerabilities affecting both Web Console and Update Server werefound.2) Insecure service configuration / design issuesThe MongoDB database which is offered via the network by default (TCP ports27017, 28017) can be accessed using hardcoded credentials which can't bechanged. The overall system design requires the database to be accessible viathe network.All relevant GravityZone configuration data can be accessed and changed. Thisincludes the user table.Excerpt from the documentation describing the TCP port 27017:"Default port used by the Communication Server and Control Center to accessthe Database."3) Missing authenticationAuthentication is not required for certain scripts in the web UI. Thisallows unauthenticated attackers to execute administrative functions withoutprior authentication.Proof of concept:-----------------1) Unauthenticated local file disclosure (Web Console, Update Server)Arbitrary files can be downloaded via a vulnerable script:https://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwdThe Update Server is vulnerable to local file disclosure as well. Arbitraryfiles can be downloaded using the following HTTP request:GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1Host: <host>:70742) Insecure service configuration / Design issuesAttackers can connect to MongoDB on TCP ports 27017 and 28017 using thefollowing hardcoded credentials:Username: <removed>Password: <removed>Detailed proof of concept exploits have been removed for this vulnerability.3) Missing authenticationAuthentication is not required for the following script:/webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)Vulnerable / tested versions:-----------------------------The vulnerabilities have been verified to exist in GravityZone 5.1.5.386,which was the most recent version at the time of discovery. Vendor contact timeline:------------------------2014-05-26: Sending responsible disclosure policy and requesting encryption keys.2014-05-26: Vendor responds providing encryption keys.2014-05-26: Sending advisory and proof of concept exploit via encrypted channel.2014-05-26: Vendor confirms receipt.2014-06-04: Requesting status update.2014-06-14: Vendor provides status update. Update will be released "End of June".2014-06-26: Vendor provides status update. Update for issue #1 and #3 will be released June 30. Update for issue #2 will be released at the end of July.2014-06-27: Requesting info about other affected products. Clarifying disclosure of issue #2.2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped and KB article for issue #2 will be released.2014-07-15: Requesting version numbers of affected products.2014-07-16: SEC Consult releases coordinated security advisory.Solution:---------Update to a more recent version of Bitdefender GravityZone _and_implement mitigations for the issue #2.More information can be found at:http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.htmlWorkaround:-----------No workaround available.Advisory URL:-------------https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - VilniusHeadquarter:Mooslackengasse 17, 1190 Vienna, AustriaPhone: +43 1 8903043 0Fax: +43 1 8903043 15Mail: research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Stefan Viehböck / @2014
Post a Comment