10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.038 Low
EPSS
Percentile
91.9%
The Marvell QConvergeConsole GUI running on the remote host is affected by a path traversal vulnerability in the decryptFile method of the FlashValidatorServiceImpl class in the FlashValidator web application. An unauthenticated, remote attacker can exploit this, via specially crafted message(s), to execute arbitrary code on the host with SYSTEM or root privileges.
Note that the application is reportedly affected by other vulnerabilities; however, this plugin has not tested for those issues.
###
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(140188);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/03");
script_cve_id("CVE-2020-15639");
script_xref(name:"ZDI", value:"ZDI-20-967");
script_name(english:"Marvell QConvergeConsole (QCC) FlashValidatorServiceImpl decryptFile Path Traversal RCE");
script_set_attribute(attribute:"synopsis", value:
"The remote web application is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The Marvell QConvergeConsole GUI running on the remote host is
affected by a path traversal vulnerability in the decryptFile method
of the FlashValidatorServiceImpl class in the FlashValidator web
application. An unauthenticated, remote attacker can exploit this,
via specially crafted message(s), to execute arbitrary code on the
host with SYSTEM or root privileges.
Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
# https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0975c4e9");
script_set_attribute(attribute:"solution", value:
"Upgrade QConvergeConsole GUI to version 5.5.0.73 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-15639");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/08/10");
script_set_attribute(attribute:"patch_publication_date", value:"2020/08/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:marvell:qconvergeconsole");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("qcc_detect.nbin");
script_require_keys("installed_sw/QLogic QConvergeConsole");
script_require_ports("Services/www", 8080, 8443);
exit(0);
}
include('http.inc');
include('install_func.inc');
include('debug.inc');
app = 'QLogic QConvergeConsole';
# Exit if app is not detected on the target host.
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this http port.
port = get_http_port(default:8080);
install = get_single_install(
app_name : app,
port : port
);
headers = {'X-GWT-Permutation':'abcd'};
url = '/FlashValidator/com.qlogic.qms.hba.gwt.FlashValidator/FlashValidatorService';
if(get_port_transport(port) == ENCAPS_IP)
scheme = 'http';
else
scheme = 'https';
data = '7|0|' + # GWT version and flags
# 7 strings to follow in the string table below
'7|' +
#
# Start of the string table, which is one-based when referencing
# an element in the table.
#
# Base URL of the GWT app
scheme + '://' + get_host_ip() + ':' + port +
'/FlashValidator/com.qlogic.qms.hba.gwt.FlashValidator/|' +
# Serialization policy file
'serialization_policy|'+
# Service interface
'com.qlogic.qms.hba.gwt.client.FlashValidatorService|' +
# Method to call
'decryptFile|' +
# Parameter type used in decryptFile(String infile, String outfile)
'java.lang.String/2004016611|' +
# Value for the first param (input file)
'infile|' +
# Value for the second param (output file)
'outfile|' +
#
# end of the string table
#
# Reference the GWT app URL base, policy file, service interface
# and method
'1|2|3|4|' +
# decryptFile has 2 parameters
'2|' +
# The type of the first param is a String
'5|' +
# The type of the second param is a String
'5|' +
# The value of the first param
'6|';
# We would have specified the value for the second param here.
# But we intentionally omit that to cause a GWT exception.
# This is to avoid a successful decryptFile() call because a
# successful call would create a file on the remote host, making the
# plugin a destructive one.
res = http_send_recv3(
port : port,
method : 'POST',
item : url,
data : data,
content_type : 'text/x-gwt-rpc; charset=UTF-8',
add_headers : headers,
exit_on_fail : TRUE
);
# Patched QCC removed the FlashValidator webapp altogether, so the
# endpoint for the decryptFile() call does not exist
if(' 404 ' >< res[0])
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(port:port, qs:install['path']));
# Vulnerable QCC returns 200, but the call was not successful
# because the second parameter for decryptFile() was missing.
else if (' 200 ' >< res[0])
{
dbg::log(msg:res[0] + res[1], ddata:res[2]);
report =
'Nessus was able to detect the issue using the following ' +
'request : ' +
'\n' + http_last_sent_request();
security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
}
# Unexpected
else
{
dbg::log(msg:res[0] + res[1], ddata:res[2]);
audit(AUDIT_RESP_BAD, port);
}
Vendor | Product | Version | CPE |
---|---|---|---|
marvell | qconvergeconsole | x-cpe:/a:marvell:qconvergeconsole |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.038 Low
EPSS
Percentile
91.9%