Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.NETIQ_ACCESS_MANAGER_4SP1HF3.NASL
HistoryFeb 18, 2015 - 12:00 a.m.

NetIQ Access Manager 4.0 < 4.0 SP1 Hotfix 3 Multiple Vulnerabilities

2015-02-1800:00:00
This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
JSON

The remote host is running a version of NetIQ Access Manager 4.0 without service pack 1 hotfix 3. It is, therefore, affected by the following vulnerabilities :

  • An XML Entity Injection (XXE) flaw exists in the ‘query’ parameter of the webacc servlet that can allow an authenticated user to view the contents of any file on the system that the user running the web application has access to, including the ‘/etc/password’ file.
    (CVE-2014-5214)

  • An authenticated user, via the ‘debug.jsp’ and ‘dev_services.jsp’ pages, can gain access to the following protected system properties :

    • com.volera.vcdn.monitor.password
    • com.volera.vcdn.alert.password
    • com.volera.vcdn.sync.password
    • com.volera.vcdn.scheduler.password
    • com.volera.vcdn.publisher.password
    • com.volera.vcdn.application.sc.scheduler.password
    • com.volera.vcdn.health.password (CVE-2014-5215)

  • Multiple reflected cross-site scripting (XSS) flaws exist in the parameters on various pages.
    (CVE-2014-5216)

  • A cross-site request forgery (XSRF) vulnerability exists in the webacc servlet that allows an attacker, using a specially crafted request, to change the administrative password of the Administration Console. However, an administrator must be tricked into executing the request within the context of an authenticated session.
    (CVE-2014-5217)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81405);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id(
    "CVE-2014-5214",
    "CVE-2014-5215",
    "CVE-2014-5216",
    "CVE-2014-5217"
  );
  script_bugtraq_id(
    71745,
    71754,
    71755,
    71826
  );

  script_name(english:"NetIQ Access Manager 4.0 < 4.0 SP1 Hotfix 3 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of NetIQ Access Manager.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of NetIQ Access Manager 4.0
without service pack 1 hotfix 3. It is, therefore, affected by the
following vulnerabilities :

  - An XML Entity Injection (XXE) flaw exists in the 'query'
    parameter of the webacc servlet that can allow an
    authenticated user to view the contents of any file on
    the system that the user running the web application has
    access to, including the '/etc/password' file.
    (CVE-2014-5214)

  - An authenticated user, via the 'debug.jsp' and
    'dev_services.jsp' pages, can gain access to the
    following protected system properties :
      - com.volera.vcdn.monitor.password
      - com.volera.vcdn.alert.password
      - com.volera.vcdn.sync.password
      - com.volera.vcdn.scheduler.password
      - com.volera.vcdn.publisher.password
      - com.volera.vcdn.application.sc.scheduler.password
      - com.volera.vcdn.health.password
    (CVE-2014-5215)

  - Multiple reflected cross-site scripting (XSS) flaws
    exist in the parameters on various pages.
    (CVE-2014-5216)

  - A cross-site request forgery (XSRF) vulnerability exists
    in the webacc servlet that allows an attacker, using a
    specially crafted request, to change the administrative
    password of the Administration Console. However, an
    administrator must be tricked into executing the request
    within the context of an authenticated session.
    (CVE-2014-5217)");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7015993");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7015994");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7015995");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7015996");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7015997");
  # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad1a1c9a");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Access Manager 4.0 Service Pack 1 and apply Hotfix 3");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:netiq:access_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("netiq_access_manager_detect.nbin", "netiq_access_manager_installed.nbin");
  script_require_keys("installed_sw/NetIQ Access Manager");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("http_func.inc");

appname  = "NetIQ Access Manager";
installs = get_combined_installs(app_name:appname,exit_if_not_found:TRUE);
installs = installs[1];

version = FALSE;
hotfix  = FALSE;
port    = FALSE;
path    = FALSE;
# We will either see an install from the WebUI
# or from the local detect or both.  So at most
# installs is a list of 2 things, it is not
# possible to have more than one version installed
# at a time
foreach install (installs)
{
  iver  = install['version'];
  ihfx  = install['hotfix' ];
  iport = install['port'   ];

  if(!version || (iver != version && iver != UNKNOWN_VER))
    version = iver;
  if(!hotfix  || (ihfx != hotfix  && ihfx != UNKNOWN_VER))
    hotfix  = ihfx;
  if(!path)
    path = install["path"];
  # We always prefer the remote detects port/path
  if(!isnull(iport))
  {
    port = iport;
    path = install["path"];
  }
}
inthf = 0;
if(hotfix != "None" && hotfix != UNKNOWN_VER)
  inthf = int(hotfix);

if(version == UNKNOWN_VER)
  audit(AUDIT_UNKNOWN_APP_VER,appname);

# Got a port so we can show URL instead of FS Path
if(port) path = build_url(port:port,qs:path);
else     port = 0;

# hotfix == UNKNOWN_VER : couldn't determine hotfix
# hotfix == "None"      : determined hotfix, but there isn't one
# hotfix == some number : determined hotfix
if(version == "4.0.1" && hotfix == UNKNOWN_VER && report_paranoia <= 1)
  exit(1,"Hotfix level unknown, this plugin will only run if 'Report paranoia' is set to 'Paranoid'");

# Report versions of vars
rversion = version;
if(inthf != 0)
  rversion += " HF"+hotfix;

rport = port;
if(port == 0)
{
  rport = get_kb_item('SMB/transport');
  if(isnull(rport)) rport = 445;
}

if ( version == "4.0.0" || (version == "4.0.1" && inthf < 3) )
{
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  set_kb_item(name: 'www/'+port+'/XSRF', value: TRUE);
  if (report_verbosity > 0)
  {
    if(port != 0)
      report = '\n  URL               : ' + path;
    else
      report = '\n  Path              : ' + path;
    report  += '\n  Installed version : ' + rversion +
               '\n  Fixed version     : 4.0.1 HF3\n';
    security_warning(port:rport, extra:report);
  }
  else security_warning(rport);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN,appname,rversion);
VendorProductVersionCPE
netiqaccess_managercpe:/a:netiq:access_manager

Related

securityvulns 2
exploitpack 1
packetstorm 1
openvas 1
exploitdb 1
zdt 1
prion 5
cve 5
securityvulns
securityvulns
NetIQ Access Manager multiple security vulnerabilities
2014-12-22 00:00:00
SEC Consult SA-20141218-2 :: Multiple high risk vulnerabilities in NetIQ Access Manager
2014-12-22 00:00:00
exploitpack
exploitpack
NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
2014-12-23 00:00:00
packetstorm
packetstorm
NetIQ Access Manager 4.0 SP1 XSS / CSRF / XXE Injection / Disclosure
2014-12-19 00:00:00
openvas
openvas
NetIQ Access Manager XSS / CSRF / XXE Injection / Disclosure
2014-12-19 00:00:00
exploitdb
exploitdb
NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
2014-12-23 00:00:00
zdt
zdt
NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities
2014-12-23 00:00:00
prion
prion
Improper access control
2014-12-23 11:59:00
Xxe
2014-12-23 11:59:00
Cross site request forgery (csrf)
2014-12-23 11:59:00
cve
cve
CVE-2014-5215
2014-12-23 11:59:00
CVE-2014-5214
2014-12-23 11:59:00
CVE-2014-5217
2014-12-23 11:59:00
JSON
Related for NETIQ_ACCESS_MANAGER_4SP1HF3.NASL
securityvulns2exploitpack1packetstorm1openvas1exploitdb1zdt1prion5cve5