CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
5.1%
The version of IBM Lotus Sametime Connect installed on the remote Windows host is potentially affected by an information disclosure vulnerability. If a user sets a certain log flag to high and uses Audio/Video chat, the user’s password is stored in plaintext (unencrypted).
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(72880);
script_version("1.6");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2014-0890");
script_bugtraq_id(65937);
script_name(english:"IBM Lotus Sametime Connect Audio / Video Chat Information Disclosure");
script_summary(english:"Checks version of IBM Lotus Sametime Connect Client");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has a chat client that is affected by an
information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of IBM Lotus Sametime Connect installed on the remote
Windows host is potentially affected by an information disclosure
vulnerability. If a user sets a certain log flag to high and uses
Audio/Video chat, the user's password is stored in plaintext
(unencrypted).");
script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21665658");
# https://www.ibm.com/blogs/psirt/ibm-security-bulletin-passwords-may-be-logged-when-some-high-logging-level-flag-is-used-cve-2014-0890/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?122c1e05");
# https://packetstormsecurity.com/files/125326/Lotus-Sametime-8.5.1-Password-Disclosure.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74a641a5");
script_set_attribute(attribute:"solution", value:
"Apply the patch referenced in the advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0890");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2014/02/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:sametime");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("lotus_sametime_connect_installed.nasl", "smb_hotfixes.nasl");
script_require_keys("SMB/IBM Lotus Sametime Client/Path", "SMB/IBM Lotus Sametime Client/Version", "SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
app_name = "IBM Lotus Sametime Connect Client";
version = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Version');
path = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Path');
fixpackdate = get_kb_item('SMB/IBM Lotus Sametime Client/fixpackdate');
winver = get_kb_item_or_exit("SMB/WindowsVersion");
# Looks for Sametime preference files with vulnerable log flags.
function check_sametime_logging(dir)
{
local_var hklm, subkeys, profile_key, sid;
local_var system_root;
local_var vulnerable_files;
vulnerable_files = make_list();
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
profile_key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList";
subkeys = get_registry_subkeys(handle:hklm, key:profile_key);
RegCloseKey(handle:hklm);
system_root = hotfix_get_systemroot();
if (isnull(system_root)) exit(1, "Unable to get system root directory.");
if (!isnull(subkeys))
{
foreach sid (subkeys)
{
local_var appdata_path;
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
appdata_path = get_registry_value(handle:hklm, item:strcat(profile_key,"\",sid,"\ProfileImagePath"));
RegCloseKey(handle:hklm);
if (!isnull(appdata_path))
{
local_var sametime_log_path;
sametime_log_path = hotfix_append_path(path:appdata_path, value:strcat(dir, "\.config\rcpinstall.properties"));
sametime_log_path = str_replace(string:sametime_log_path, find:"%systemroot%", replace:system_root);
if (hotfix_file_exists(path:sametime_log_path))
{
local_var contents;
contents = hotfix_get_file_contents(sametime_log_path);
if ( contents['error'] == HCF_OK &&
ereg(string:contents['data'], pattern:"com\.ibm\.collaboration\.realtime\.telephony(\..*)?\.level=FINE", multiline:TRUE))
{
vulnerable_files = make_list(vulnerable_files, sametime_log_path);
}
}
}
}
}
RegCloseKey(handle:hklm);
close_registry();
return vulnerable_files;
}
# Add vulnerable files to report.
function report_high_logging(report, logs)
{
local_var log;
report += '\n High level log flags were detected in the following files:';
foreach log (logs)
{
report += '\n - ' + log;
}
report += '\n';
return report;
}
vuln = FALSE;
fixdate = NULL;
workspace_dir = NULL;
if (winver < 6) base_workspace = "\Application Data";
else base_workspace = "\AppData\Roaming";
# Only 8.5.1, 8.5.2 and 9.0.0 are affected.
if (version =~ "^8\.5\.1( .*)?$")
{
# Check the fixpack timestamp
if (isnull(fixpackdate)) vuln = TRUE;
else
{
fixdate = "20140224";
fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate);
if (int(fixpackdate) < fixdate) vuln = TRUE;
}
workspace_dir = hotfix_append_path(path:base_workspace, value:"\Lotus\Sametime");
}
else if (version =~ "^8\.5\.2( .*)?$")
{
# Check the fixpack timestamp
if (isnull(fixpackdate)) vuln = TRUE;
else
{
fixdate = "20140225";
fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate);
if (int(fixpackdate) < fixdate) vuln = TRUE;
}
workspace_dir = hotfix_append_path(path:base_workspace, value:"\Lotus\Sametime");
}
else if (version =~ "^9\.0\.0( .*)?$")
{
# Check the fixpack timestamp
if (isnull(fixpackdate)) vuln = TRUE;
else
{
fixdate = "20140225";
fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate);
if (int(fixpackdate) < fixdate) vuln = TRUE;
}
workspace_dir = hotfix_append_path(path:base_workspace, value:"\IBM\Sametime");
}
# If doing a paranoid scan, then we're done. Otherwise, if not doing
# a paranoid scan and detected a vulnerable version, check logging
# levels per the advisory.
if (vuln && report_paranoia < 2)
{
vuln = FALSE;
logs = check_sametime_logging(dir:workspace_dir);
if (max_index(logs) > 0) vuln = TRUE;
}
if (vuln)
{
port = kb_smb_transport();
if (report_verbosity > 0)
{
report =
'\n Path : ' + path +
'\n Installed version : ' + version;
if (!isnull(fixpackdate))
{
report +=
'\n Installed Fix Pack date : ' + fixpackdate +
'\n Fixed Fix Pack date : ' + fixdate + '\n';
}
else report += '\n No Fix Packs have been applied.\n';
if (logs) report = report_high_logging(report:report, logs:logs);
security_note(port:port, extra:report);
}
else security_note(port);
exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);