Tenable SecurityCenter < 5.0.1 Multiple RCE (TNS-2015-10)

2015-08-03T00:00:00
ID SECURITYCENTER_4_6_2_2_MULTIPLE_RCE.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its version, the installation of Tenable SecurityCenter on the remote host is affected by multiple remote code execution vulnerabilities :

  • A flaw exists due to improper sanitization of user-supplied files during upload functions. An authenticated, remote attacker can exploit this, by uploading a dashboard for another user, to execute arbitrary code when the server processes the file.

  • A flaw exists due to improper sanitization of user-supplied files during upload functions. An authenticated, remote attacker can exploit this, by uploading a custom plugin or custom passive plugin with a specially crafted archive file name, to execute arbitrary code when the server processes the file.

Note that Nessus has not tested for these issues but has instead relied only on the application

                                        
                                            #TRUSTED 2c45899ebe1dac5c28cf6bb67a2629c5bff1ce8ac311d5cefde2ebc03d4db6c3b4aa6f4a667eb37ddd460613ab5459a43b0f9778921c68d546916d59e061703f4f31e5843bd5771b5a810649dd7f3de27bc586ea0c02e9f228cf80ebc6daa799ee048e3aafa966f80ceea07aadf5fac3acebee9d0704bde9a9b538babc9a23a87e611f142b877a2a9240fca7589e79bdc1db2bae550ad03e5c2b52ca756cd73f302d7c726c0622008fc7468c3b17f1830ce6d163bb95b56570cbbe6bb1cc410427357237f7c376f1e94b62360e095da5fa658a8f14706a87d45f9a7c028a5b19e4589c592af2b2386458b55b0afc18ee0abc28065530d645080d816d4a5d12cecc17332d39e4b5267fe5a162c91897003949ffbd0441a5f5eadd4afe813b5587cc2351cacea52dc4c8ea03d73b89b12ea86d687125c7b1d6326ea06b64b3b3d8483dbf09299e4af256b1a55556f1cd2624b3ab328f57dee940b2b16e9a4f089e886e786aeff2bc5b9511553443a3bbfaa31622c4886372a69815cd80a35d1bd1282db04d2ec80306b10423d161f5fd69ebeb9d46edd2482d1dd8fea07a1e4e1109c824111bec1bf76fb1450465cb90d38234851132c64f5ad97edb559f377067374347da70d46ad35d6a9f086f53db456a4fddcf4089a2ef20d2e0ef2a8f5bcaf8d6976020b7384557ef2f0173d2b345080593e4d40ce0b8e36d65013481c517
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85183);
  script_version("1.15");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-4149", "CVE-2015-4150");

  script_name(english:"Tenable SecurityCenter < 5.0.1 Multiple RCE (TNS-2015-10)");
  script_summary(english:"Checks the SecurityCenter version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by multiple
remote code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version, the installation of Tenable SecurityCenter
on the remote host is affected by multiple remote code execution
vulnerabilities :

  - A flaw exists due to improper sanitization of
    user-supplied files during upload functions. An
    authenticated, remote attacker can exploit this, by
    uploading a dashboard for another user, to execute
    arbitrary code when the server processes the file.

  - A flaw exists due to improper sanitization of
    user-supplied files during upload functions. An
    authenticated, remote attacker can exploit this, by
    uploading a custom plugin or custom passive plugin with
    a specially crafted archive file name, to execute
    arbitrary code when the server processes the file.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-10");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Tenable SecurityCenter version 4.6.2.2 / 4.7.1 / 4.8.2 and
apply the appropriate patch referenced in the vendor advisory.
Alternatively, upgrade to version 5.0.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Score based on analysis of the vendor advisory.");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/SecurityCenter/Version");
port = 0;
if(empty_or_null(version))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  version = install["version"];
}
vuln = FALSE;

# Affects versions 4.6.2.2, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2 and 5.0.0
if (version =~ "^4\.(6\.2\.2|7\.[01]|8\.[0-2])$")
{
  # Establish running of local commands
  if ( islocalhost() )
  {
    if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread");
    info_t = INFO_LOCAL;
  }
  else
  {
    sock_g = ssh_open_connection();
    if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials.");
    info_t = INFO_SSH;
  }

  file = "/opt/sc4/src/tools/customPluginUpload.php";
  # Patched MD5 for /opt/sc4/src/tools/customPluginUpload.php
  if (version =~ "^4\.6") fix_md5 = '65bc765ae62d8127c012ec286cabc686'; 
  if (version =~ "^4\.7") fix_md5 = '65bc765ae62d8127c012ec286cabc686';
  if (version =~ "^4\.8") fix_md5 = '5784a4f1e87ab0feb32f82a4dfd84c9b';

  # Check version
  res = info_send_cmd(cmd:"md5sum " + file);
  if (info_t == INFO_SSH) ssh_close_connection();

  if (! res) exit(1, "The command 'md5sum "+file+"' failed.");

  if (res !~ '^[a-f0-9]{32}')
    exit(1, "Unable to obtain an MD5 hash for '"+file+"'.");

  if (fix_md5 >!< res)
  {
    vuln = TRUE;
    # 4.6.2.2
    if (version == "4.6.2.2")
      fix = "Apply the 4.6.2.2 patch referenced in the TNS-2015-10 advisory.";
    # 4.7.x
    if (version =~ "^4\.7")
    {
      if (version == "4.7.1")
        fix = "Apply the 4.7.1 patch referenced in the TNS-2015-10 advisory.";
      else
        fix = "Upgrade to version 4.7.1 and apply the 4.7.1 patch referenced in the TNS-2015-10 advisory.";
    }
    # 4.8.x
    if (version =~ "^4\.8")
    {
      if (version == "4.8.2")
        fix = "Apply the 4.8.2 patch referenced in the TNS-2015-10 advisory.";
      else
        fix = "Upgrade to version 4.8.2 and apply the 4.8.2 patch referenced in the TNS-2015-10 advisory.";
    }
  }
}
else if (version =~ "^5\.")
{

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i < max_index(ver); i++)
    ver[i] = int(ver[i]);

  if (ver[0] == 5 && ver[1] == 0 && ver[2] < 1)
  {
    vuln = TRUE;
    fix = "5.0.1";
  }
}

if (vuln)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version  : ' + version +
      '\n  Fixed version      : ' + fix + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, 'SecurityCenter', version);