[OVSA20131108] OpenVAS Manager And OpenVAS Administrator Vulnera
--nextPart1578880.hkgDe8ShJz
Content-Type: multipart/mixed;
boundary="Boundary-01=_OMdhSngZN6RJ2TW"
Content-Transfer-Encoding: 7bit
--Boundary-01=_OMdhSngZN6RJ2TW
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Summary
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an incorrect state assignment wh=
en
processing OMP and OAP requests. It has been identified that this
vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS
Administrator on vulnerable systems. CVE-2013-6765 has been assigned to th=
is
vulnerability in Manager and CVE-2013-6766 to the same vulnerability in
Administrator.
It should be noted that not all of the newly available commands are functio=
nal
and that exploitation typically requires SSH access to the host on which th=
e=20
services are installed.
Current Status
As of the 8th November, the state of the vulnerabilities is believed
to be as follows. Patches have been supplied by Greenbone Networks which
it successfully resolves this vulnerability. New releases of both OpenVAS
Manager and OpenVAS Administrator have also been created which incorporate
these patches.
Thanks
OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting
the vulnerability and apologise to all concerned for the substantial delay
in triaging his report.
=2D-=20
Tim Brown
<mailto:timb@openvas.org>
<http://www.openvas.org>
--Boundary-01=_OMdhSngZN6RJ2TW
Content-Type: text/plain;
charset="UTF-8";
name="OVSA20131108.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="OVSA20131108.txt"
OpenVAS Security Advisory (OVSA20131108)
Date: 8th November 2013
Product: OpenVAS Manager < 3.0.7 and < 4.0.4 and OpenVAS Administrator < 1.=
2.2 and < 1.3.2
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Low
Summary
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an incorrect state assignment wh=
en
processing OMP and OAP requests. It has been identified that this
vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS
Administrator on vulnerable systems. CVE-2013-6765 has been assigned to th=
is
vulnerability in Manager and CVE-2013-6766 to the same vulnerability in
Administrator.
Current Status
As of the 8th November, the state of the vulnerabilities is believed
to be as follows. Patches have been supplied by Greenbone Networks which
it successfully resolves this vulnerability. New releases of both OpenVAS
Manager and OpenVAS Administrator have also been created which incorporate
these patches.
Technical Details
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an invalid state assignment when
processing OMP and OAP requests.
Upon processing an OMP and OAP request to retrieve the version information
from OpenVAS Administrator and OpenVAS Manager, the state is incorrectly set
to CLIENT_AUTHENTIC, allowing additional OMP and OAP commands to be called.=
=20
This can be seen in the omp_xml_handle_end_element() function from omp.c (f=
or
OpenVAS Manager):
if (client_state)
set_client_state (CLIENT_AUTHENTIC);
else
set_client_state (CLIENT_TOP);
break;
In this instance, the first condition will always hold. Rather, the check
should be whether client_state is currently set to CLIENT_GET_VERSION_AUTHE=
NTIC.
=20
It should be noted that not all of the newly available commands are functio=
nal,=20
since they often rely upon additional session state information being prese=
nt
which will not be the case where the authentication has been bypassed.
=46urthermore, the vulnerable code path is typically only accessible to use=
rs
who have logged into a host running OpenVAS Manager or OpenVAS Administrator
via SSH as the affected services are typically only bound to localhost.
=46ix
OpenVAS recommends that the publicly available patches are applied. If
building from source, then patches r18285 (for OpenVAS Administrator 1.2.x)=
or
r18281 (for Administrator 1.3.x) and r18276 (for OpenVAS Manager 3.0.x) or
r18271 (for Manager 4.0.x) should be obtained from the OpenVAS SVN reposito=
ry.
A fresh tarball containing the latest stable release of Administrator
can be obtained from:
* http://wald.intevation.org/frs/download.php/1442/openvas-administrator-1.=
3.2.tar.gz
A fresh tarball containing the latest stable release of Manager
can be obtained from:
* http://wald.intevation.org/frs/download.php/1434/openvas-manager-4.0.4.ta=
r.gz
In the event that OpenVAS has been supplied as part of a distribution then
the vendor or organisation concerned should be contacted for a patch. Known
major distributors of OpenVAS precompiled packages have already been notifi=
ed.
History
On the 3rd August 2013, Antonio Sanchez Arago initially attempted to contac=
t the
OpenVAS security team to report the issue in OpenVAS Manager however it was
missed as many of the team were on annual leave.
Unfortunately, it was not picked up until Antonio attempted to contact us a=
gain
on in late October. On this occasion, it was picked up and the team were a=
ble
to reproduce the vulnerability.
On the 7th November, we contacted Antonio to confirm that the team had
successfully reproduced the issue and Greenbone Networks to notify them of =
the
vulnerability and request assistance in coordinating the disclosure. Major
distributors of OpenVAS precompiled packages were also notified about the=20
upcoming patches.
New versions of both OpenVAS Manager and OpenVAS Administrator were release=
d on
the 8th.
The OpenVAS security team then contacted MITRE and on the 9th November,
CVE-2013-6764 and CVE-2013-6766 were assigned for this vulnerability.
Thanks
OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting
the vulnerability and apologise to all concerned for the substantial delay
in triaging his report.
--Boundary-01=_OMdhSngZN6RJ2TW--
--nextPart1578880.hkgDe8ShJz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCAAGBQJShdMaAAoJEPJhpTVyySo7vSkQAKJlMxAPsrD0N7YDOM5CCgLc
rxT8+QpaibFGCMVhEXKW5Fw2Av38+4xYoWJtHMj/Ba6bY0CKpaVgVbYCZ8yp1dcF
hRdOpmS039BSyNfXGlSauq/a3wUy6paFu31s+6OSG0W9ROp0VCoLBWApkjt7Py7R
w9dYj/U0qCreEv1dxJiqVdYb32p6Ic6sYofst6OM4DoYHgUWUNk6oh6WIkXU0Lvg
vQUI36/vnU1SGx452aU2j7044Umyhg7tOPFs3oluiHDimaEgDdjEEjHI9wbtpJ6E
MxAkM+5bRZc47t9ayeZ7dsIQ/bwJgvZ4lCHlJYu/fRb894YVWuCfhRl1hB3Ljw1F
QKT5U0/1rzmtF6D4THmi7f/7YBsJ89TPkk8LAN9YXLSO/Q/mNaZOoMPofZ0EKKwA
AeICJAOf4bjbhALGCnQL79B9Go+ZuurQ7581hvcB0V6CuU2oHnfd8cDmHFjANnBt
zXSJWHtFTi06/VReGFfnuQNmgHnvKD5675oOmMbDqGrBXhYAU7F5WZ5klt+2xuRp
DdWlk86WgRVOLAEVKRujU5HhN3nQemdsP8UKdg62HzyPuBkzLWVIKdfzFHw/dLe5
CvLneVwVzpVU7+MIIotmoYc+wjfUDvYNli52rCOLjbWkJpHWLBniWfUk9nBM13cd
XQXo2y870PwWgmDg4VCy
=FjeC
-----END PGP SIGNATURE-----
--nextPart1578880.hkgDe8ShJz--