{"cve": [{"lastseen": "2016-09-03T20:05:01", "bulletinFamily": "NVD", "description": "The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.", "modified": "2014-03-31T12:40:14", "published": "2014-03-28T21:55:07", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1644", "id": "CVE-2014-1644", "title": "CVE-2014-1644", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T20:05:02", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.", "modified": "2014-03-31T12:27:39", "published": "2014-03-28T21:55:07", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1645", "id": "CVE-2014-1645", "title": "CVE-2014-1645", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:21:00", "bulletinFamily": "scanner", "description": "The version of Symantec LiveUpdate Administrator 2.x hosted on the remote web server is prior to 2.3.2.110 (2.3.2.1). It is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists with the forgotten password functionality where the password for an authorized user account can be forcefully reset. This could allow a remote attacker with knowledge of the account's email address to reset the password and potentially gain full access to the administrator web interface. (CVE-2014-1644)\n\n - Multiple SQL injection flaws exist within the application, including the password recovery functionality. This could allow a remote attacker to inject or manipulate SQL queries, allowing the manipulation or disclosure of arbitrary data.\n (CVE-2014-1645)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-11-15T00:00:00", "id": "SYMANTEC_LUA_2_3_2_110.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73275", "published": "2014-03-31T00:00:00", "title": "Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(73275);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2014-1644\", \"CVE-2014-1645\");\n script_bugtraq_id(66399, 66400);\n script_xref(name:\"IAVB\", value:\"2014-B-0034\");\n\n script_name(english:\"Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005)\");\n script_summary(english:\"Checks LUA version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Symantec LiveUpdate Administrator 2.x hosted on the\nremote web server is prior to 2.3.2.110 (2.3.2.1). It is, therefore,\naffected by the following vulnerabilities :\n\n - A flaw exists with the forgotten password functionality\n where the password for an authorized user account can be\n forcefully reset. This could allow a remote attacker\n with knowledge of the account's email address to reset\n the password and potentially gain full access to the\n administrator web interface. (CVE-2014-1644)\n\n - Multiple SQL injection flaws exist within the\n application, including the password recovery\n functionality. This could allow a remote attacker to\n inject or manipulate SQL queries, allowing the\n manipulation or disclosure of arbitrary data.\n (CVE-2014-1645)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140328-0_Symantec_LiveUpdate_Administrator_Multiple_vulnerabilities_wo_poc_v10.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd44e0ba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2014/Mar/171\");\n # https://support.symantec.com/en_US/article.SYMSA1290.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2730de5a\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to LiveUpdate Administrator 2.3.2.110 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/31\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:liveupdate_administrator\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"symantec_lua_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/symantec_lua\");\n script_require_ports(\"Services/www\", 7070, 8080);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:7070);\ninstall = get_install_from_kb(appname:'symantec_lua', port:port, exit_on_fail:TRUE);\n\ndir = install['dir'];\nver = install['ver'];\nurl = build_url(port:port, qs:dir);\n\nif (ver == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Symantec LiveUpdate Administrator\", url);\n\n# Branch Check\nif (ver !~ \"^2\\.\") audit(AUDIT_WEB_APP_NOT_AFFECTED,\"Symantec LiveUpdate Administrator\",url,ver);\n\nfix = '2.3.2.110';\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) != -1)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Symantec LiveUpdate Administrator\", url, ver);\n\nset_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-22T16:41:13", "bulletinFamily": "scanner", "description": "The host is installed with Symantec LiveUpdate Administrator and is prone to\nmultiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2014-04-03T00:00:00", "id": "OPENVAS:1361412562310804359", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804359", "title": "Symantec LiveUpdate Administrator Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_symantec_liveupdate_administrator_mult_vuln.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# Symantec LiveUpdate Administrator Multiple Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:liveupdate_administrator\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804359\");\n script_version(\"$Revision: 11867 $\");\n script_cve_id(\"CVE-2014-1644\", \"CVE-2014-1645\");\n script_bugtraq_id(66399, 66400);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-03 15:36:12 +0530 (Thu, 03 Apr 2014)\");\n script_name(\"Symantec LiveUpdate Administrator Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Symantec LiveUpdate Administrator and is prone to\nmultiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Improper restrictions on access to the 'lua/forcepasswd.do' script.\n\n - Improper sanitization of input passed to 'lua/forcepasswd.do' and\n'loginforgotpwd' scripts.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to bypass certain security\nrestrictions and inject or manipulate SQL queries in the back-end database,\nallowing for the manipulation or disclosure of arbitrary data.\");\n script_tag(name:\"affected\", value:\"Symantec LiveUpdate Administrator before version 2.x before 2.3.2.110\");\n script_tag(name:\"solution\", value:\"Upgrade to Symantec LiveUpdate Administrator version 2.3.2.110 or later.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/57659\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1029972\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125925\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/bugtraq/2014-03/0172.html\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symantec_liveupdate_administrator_detect.nasl\");\n script_mandatory_keys(\"Symantec/LUA/Version\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.symantec.com\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!luaPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!luaVer = get_app_version(cpe:CPE, port:luaPort)){\n exit(0);\n}\n\nif(version_in_range(version:luaVer, test_version:\"2.0\", test_version2:\"2.3.2.109\"))\n{\n security_message(port:luaPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20140328-0 >\r\n=======================================================================\r\n title: Multiple critical vulnerabilities\r\n product: Symantec LiveUpdate Administrator\r\n vulnerable version: <= 2.3.2.99\r\n fixed version: 2.3.2.110\r\n impact: critical\r\n CVE number: CVE-2014-1644, CVE-2014-1645\r\n homepage: http://www.symantec.com\r\n found: 2014-01-02\r\n by: Stefan Viehbock\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n"LiveUpdate Administrator is an enterprise Web application that allows you to\r\nmanage updates on multiple internal Central Update servers, called Distribution\r\nCenters. Using LiveUpdate Administrator, you download updates to the Manage\r\nUpdates folder, and then send the updates to production distribution servers\r\nfor Update clients to download, or to testing distribution centers, so that the\r\nupdates can be tested before they are distributed to production.\r\n\r\nSource:\r\nhttp://www.symantec.com/connect/articles/knowledgebase-articles-liveupdate-administrator-lua\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to compromise LiveUpdate Administrator at the\r\napplication and database levels. This enables access to credentials of update\r\nservers on the network.\r\n\r\nIt is highly recommended by SEC Consult not to use this software until a\r\nthorough security review has been performed by security professionals and all\r\nidentified issues have been resolved.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated arbitrary account password reset (CVE-2014-1644)\r\nThe reset password is not properly protected and allows unauthenticated\r\nattackers to reset passwords of arbitrary users.\r\nUsing this vulnerability an attacker can gain full access to the LiveUpdate\r\nAdministrator web interface.\r\nAn attacker can use this vulnerability to retrieve usernames/passwords of\r\ninternal LiveUpdate servers and execute attacks against those servers.\r\n\r\n2) Unauthenticated SQL injection (CVE-2014-1645)\r\nSeveral SQL injection vulnerabilities were discovered in the application.\r\nThese vulnerabilities allow attackers to exfiltrate database contents\r\n(including user names, passwords, server credentials) and possibly to\r\ncompromise the host system as well.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated arbitrary account password reset (CVE-2014-1644)\r\nThe following request shows how the password of the user with the email address\r\n"foo@bar.com" can be set to "11111111".\r\nAffected script: /lua/forcepasswd.do\r\n\r\nDetailed proof of concept exploits have been removed for this vulnerability.\r\n\r\n2) Unauthenticated SQL injection (CVE-2014-1645)\r\nThe following request shows how the SQL injection in the password reset\r\nfunctionality can be exploited (blind, timing).\r\nAffected script: /lua/forcepasswd.do\r\n\r\nDetailed proof of concept exploits have been removed for this vulnerability.\r\n\r\nThe password recovery functionality (/loginforgotpwd)is vulnerable to SQL\r\ninjection as well. Several DAO methods show incorrect use of prepared\r\nstatements and were not investigated further.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in Symantec LiveUpdate\r\nAdministrator version 12.1.4013, which was the most recent version at the time\r\nof discovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2014-01-09: Sending advisory and proof of concept exploit via encrypted\r\n channel.\r\n2014-01-09: Vendor acknowledges receipt of advisory.\r\n2014-02-24: Requesting status update.\r\n2014-02-25: Vendor confirms vulnerability.\r\n2014-02-25: Vendor plans release in late march.\r\n2014-03-25: Vendor provides schedule.\r\n2014-03-27: Vendor provides CVE-IDs and releases fixed version.\r\n2014-03-28: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to the most recent version (2.3.2.110) of Symantec LiveUpdate\r\nAdministrator.\r\n\r\nMore information can be found at:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF Stefan Viehbock / @2014\r\n", "modified": "2014-03-31T00:00:00", "published": "2014-03-31T00:00:00", "id": "SECURITYVULNS:DOC:30408", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30408", "title": "SEC Consult SA-20140328-0 :: Multiple vulnerabilities in Symantec LiveUpdate Administrator", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:28:48", "bulletinFamily": "exploit", "description": "Bugtraq ID:66399\r\nCVE ID:CVE-2014-1644\r\n\r\nSymantec LiveUpdate Administrator\u662f\u4e00\u6b3eSymantec\u4ea7\u54c1\u5347\u7ea7\u7ba1\u7406\u7a0b\u5e8f\u3002\r\n\r\nSymantec LiveUpdate Administrator\u7ba1\u7406GUI\u5bf9\u767b\u5f55/\u5bc6\u7801\u529f\u80fd\u63d0\u4f9b\u4e0d\u6b63\u786e\u7684\u4fdd\u62a4\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5728\u77e5\u9053\u76ee\u6807\u7528\u6237email\u5730\u5740\u7684\u60c5\u51b5\u4e0b\uff0c\u5229\u7528\u91cd\u7f6e\u5bc6\u7801\u529f\u80fd\u91cd\u7f6e\u7528\u6237\u5bc6\u7801\uff0c\u672a\u6388\u6743\u8fdb\u884c\u8bbf\u95ee\u3002\n0\nSymantec LiveUpdate Administrator 2.x\nSymantec LiveUpdate Administrator 2.3.2.110\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://www.symantec.com/business/support/index?page=content&id=TECH134809", "modified": "2014-03-31T00:00:00", "published": "2014-03-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62001", "id": "SSV:62001", "title": "Symantec LiveUpdate Administrator\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:15", "bulletinFamily": "exploit", "description": "Bugtraq ID:66400\r\nCVE ID:CVE-2014-1645\r\n\r\nSymantec LiveUpdate Administrator\u662f\u4e00\u6b3eSymantec\u4ea7\u54c1\u5347\u7ea7\u7ba1\u7406\u7a0b\u5e8f\u3002\r\n\r\nSymantec LiveUpdate Administrator\u7ba1\u7406GUI\u4e0d\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u63d0\u4ea4\u7684\u8f93\u5165\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u5236\u7684SQL\u67e5\u8be2\uff0c\u64cd\u4f5c\u6216\u83b7\u53d6\u6570\u636e\u5e93\u6570\u636e\u3002\n0\nSymantec LiveUpdate Administrator 2.x\nSymantec LiveUpdate Administrator 2.3.2.110\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a\r\nhttp://www.symantec.com/business/support/index?page=content&id=TECH134809", "modified": "2014-03-31T00:00:00", "published": "2014-03-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62002", "id": "SSV:62002", "title": "Symantec LiveUpdate Administrator SQL\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}]}
