CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
69.6%
The up.time agent for Linux versions 7.5 and 7.6 may allow an unauthenticated remote attacker to read arbitrary files from a system.
CWE-306**: Missing Authentication for Critical Function -**CVE-2015-8268
According to the researcher, “The linux based uptime.agent version 7.5 provides the ability to remotely read any file on the remote system that the uptime.agent has read access to, without authentication.” Idera has identified that versions 7.5 and 7.6 are affected.
Related vulnerabilities were initially reported in VU#377260.
An unauthenticated remote user may be able to read arbitrary files from a system running the Up.time agent for Linux.
Apply an update
Idera has released Up.time version 7.7 which addresses this issue. Affected users are encouraged to update to the latest available version as soon as possible.
Affected users should also consider the following mitigations for this and other vulnerabilities.
Check configuration
According to Idera, affected users may also use the following configuration settings to mitigate these issues:
1. All agents run in a read only mode by default, where they can only poll metrics.
2. In order to use custom scripts or trigger recovery actions, you need to set a password on the agent, or add commands to the .uptmpasswd
file for the linux agent.
3. Agents communication can be encrypted with SSL by using various SSL Tunneling/Proxy Utilities (openSSL, etc). KB articles cover the specifics for implementing with Stunnel on various platforms.
4. Agents running under xinet.d
can also be secured at the service level by restricting incoming connections to only accept connections from the Monitoring Station, or limit the total number of connections, etc.
5. Disable Agent Commands you don’t use either via the Agent Console or editing conf/agent_commands.txt
.
204232
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 11, 2015 Updated: May 16, 2016
Statement Date: May 11, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Temporal | 6.1 | E:POC/RL:OF/RC:C |
Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Ryan Wincey for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-8268 |
---|---|
Date Public: | 2016-05-11 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
69.6%