Attachmate Verastream Host Integrator (VHI) allows arbitrary file upload and execution

2013-11-04T00:00:00
ID VU:436214
Type cert
Reporter CERT
Modified 2013-11-19T00:00:00

Description

Overview

The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.

Description

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-3626

The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:

  • 7.5 SP 1 HF 1
  • 7.5 SP 1
  • 7.5
  • 7.1 SP 2 HF 1 - 6
  • 7.1 SP 2
  • 7.1 SP 1
  • 7.1
  • 7.0
  • 6.6
  • 6.5
  • 6.0

Impact

An attacker may be able to gain complete control of the server on which the application is installed.


Solution

Apply a Hotfix
Attachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at: <http://support.attachmate.com/techdocs/2700.html>


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Attachmate| | 02 Oct 2013| 10 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal | 7.5 | E:POC/RL:TF/RC:C
Environmental | 1.9 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

  • <http://cwe.mitre.org/data/definitions/22.html>
  • <http://support.attachmate.com/techdocs/2700.html>

Credit

Thanks to Arnold Geels of Attachmate for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs: CVE-2013-3626
  • Date Public: 04 Nov 2013
  • Date First Published: 04 Nov 2013
  • Date Last Updated: 19 Nov 2013
  • Document Revision: 12