CERTVU:273371Novell File Reporter contains multiple vulnerabilities
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.954 High
EPSS
Percentile
99.4%
Overview
Novell File Reporter 1.0.2 contains multiple vulnerabilities including a heap overflow, arbitrary file retrieval, and arbitrary file upload.
Description
The Rapid7 advisory states:
CVE-2012-4956 - Heap Overflow
When handling requests of name “SRS”, the NFRAgent.exe fails to generate a response in a secure way, copying user controlled data into a fixed-length buffer in the heap without bounds checking. This vulnerability can result in remote code execution under the context of the SYSTEM account.
CVE-2012-4957 - Arbitrary File Retrieval
When handling requests on “/FSF/CMD” for records with NAME “SRS”, OPERATION “4” and CMD “103” the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote files, specified with the tag “PATH”, with SYSTEM privileges.
CVE-2012-4958 - Arbitrary File Retrieval
When handling requests on “/FSF/CMD” for records with NAME “FSFUI” and UICMD “126” the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote text files, specified with the tag “FILE”, with SYSTEM privileges.
CVE-2012-4959 - Arbitrary File Upload
When handling requests on “/FSF/CMD” for records with NAME “FSFUI” and UICMD “130” the NFRAgent.exe allows a remote unauthenticated user to upload files to the host, specified with the tag “FILE”, with SYSTEM privileges. It allows to execute remote code with SYSTEM privileges.
Additional details may be found in the Rapid7 blog post entitled “New 0day Exploits: Novell File Reporter Vulnerabilities.”
Impact
A remote unauthenticated attacker may be able to execute code, retrieve arbitrary files, and upload arbitrary files to the host.
Solution
Apply an Update
Download and install the 14 Dec 2012 Novell File Reporter Agent Vulnerability Patch 1.0. Please refer to Knowledge Base document 7011962 for more details.
If you are unable to upgrade for a particular reason, please consider the following workaround.
Restrict Access
Deploy appropriate firewall rules so only trusted networks and hosts can communicate with the Novell File Reporter agent.
Vendor Information
273371
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Novell, Inc. Affected
Updated: November 16, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 7.7 | E:F/RL:OF/RC:C |
| Environmental | 1.9 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959>
- <http://www.novell.com/support/kb/doc.php?id=7011962>
- <http://download.novell.com/Download?buildid=M51l4x_JRFc~>
Acknowledgements
Thanks to Juan Vazquez for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2012-4956, CVE-2012-4957, CVE-2012-4958, CVE-2012-4959 |
|---|---|
| Date Public: | 2012-11-16 Date First Published: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.954 High
EPSS
Percentile
99.4%