HP Operations Manager i Apache Flex BlazeDS External Entity Injection Vulnerability

2016-03-09T00:00:00
ID HP_OPERATIONS_MANAGER_I_HPSBGN03550.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-11-02T00:00:00

Description

The remote HP Operations Manager i host is affected by an XML external entity (XXE) vulnerability in the bundled version of Apache Flex BlazeDS due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. A remote attacker can exploit this, via a specially crafted XML file, to read and disclose arbitrary files.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89780);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/19");

  script_cve_id("CVE-2015-3269");
  script_bugtraq_id(76394);
  script_xref(name:"HP", value:"HPSBGN03550");
  script_xref(name:"HP", value:"SSRT102232");
  script_xref(name:"HP", value:"emr_na-c05026202");

  script_name(english:"HP Operations Manager i Apache Flex BlazeDS External Entity Injection Vulnerability");
  script_summary(english:"Checks for patch.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an external entity injection
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote HP Operations Manager i host is affected by an XML external
entity (XXE) vulnerability in the bundled version of Apache Flex
BlazeDS due to an incorrectly configured XML parser accepting XML
external entities from an untrusted source. A remote attacker can
exploit this, via a specially crafted XML file, to read and disclose
arbitrary files.");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05026202
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abb54004");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch per the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:operations_manager_i");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("hp_operations_manager_i_installed.nbin");
  script_require_keys("installed_sw/HP Operations Manager i");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

global_var appname;
appname = "HP Operations Manager i";

function is_patched(version, patch, path)
{
  local_var item, ip_level, ip_fix;

  ip_fix = 2;
  if(version == "10.00") ip_fix = 3;

  if(isnull(patch))
    return version + ' IP ' + ip_fix;

  item = eregmatch(pattern:"^[0-9.]+ IP ([0-9]+)($|[^0-9])",
                   string:patch);

  if(isnull(item) || isnull(item[1]))
    exit(1, "Unable to parse patch information : '" + patch + "'");

  ip_level = int(item[1]);

  if(ip_fix < ip_level)
    return version + ' IP ' + ip_fix;

  return '';
}

install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);
version = install['version'];
patch   = install['Patch'];
path    = install['path'];

if(version !~ "^10\.0[01]$")
  audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);

fix = is_patched(version:version, patch:patch, path:path);

if (fix != '')
{
  report =
    '\n  Path              : ' + path +
    '\n  Installed version : ' + version;
  if(!isnull(patch)) report +=
    '\n  Installed patch   : ' + patch;
  report +=
    '\n  Fixed version     : ' + fix +
    '\n';

  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);