6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.3%
The IBM Spectrum Protect Plus (SPP) administrative console running on the remote host is affected by a remote code execution vulnerability due to the fact that it allows remote installation of console plugins. An unauthenticated, remote attacker can exploit this and CVE-2020-4711 together, via specially crafted HTTP requests, to execute arbitrary code on the system with root privileges.
Note that the application is reportedly affected by other vulnerabilities; however, this plugin has not tested for those issues.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(141471);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/16");
script_cve_id("CVE-2020-4703");
script_xref(name:"TRA", value:"TRA-2020-54");
script_name(english:"IBM Spectrum Protect Plus File Upload RCE");
script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The IBM Spectrum Protect Plus (SPP) administrative console running
on the remote host is affected by a remote code execution
vulnerability due to the fact that it allows remote installation of
console plugins. An unauthenticated, remote attacker can exploit
this and CVE-2020-4711 together, via specially crafted HTTP requests,
to execute arbitrary code on the system with root privileges.
Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/6328867");
script_set_attribute(attribute:"solution", value:
"Update the IBM Spectrum Protect Plus RPM package spp-adminconsole to
10.1.6-27 or later. That spp-adminconsole package should be in the IBM
Spectrum Protect Plus 10.1.6 build 2045.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"manual");
script_set_attribute(attribute:"cvss_score_rationale", value:"PoC demonstrates unauthenticated RCE as root.");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/14");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_plus");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ibm_spp_admin_console_detect.nbin");
script_require_keys("installed_sw/IBM Spectrum Protect Plus Administrative Console");
script_require_ports("Services/www", 8090);
exit(0);
}
include('http.inc');
include('webapp_func.inc');
app = 'IBM Spectrum Protect Plus Administrative Console';
# Exit if app is not detected on the host.
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this http port.
port = get_http_port(default:8090, ignore_broken:TRUE);
get_single_install(app_name:app, port:port);
url = '/api/plugin/?action=install_single';
# Use a dead download URL so that no file will be uploaded to the
# remote host.
filename = 'no_such_file_' + rand_str(length:8);
download_url = 'http://localhost:12345/' + filename;
data = '{' +
'"url": "' + download_url + '",' + # Where to download the file
'"filename": "' + filename + '",' + # File name to be saved as
'"type": "FILE",' + # Install type
# pluginName folder to save the downloaded file
#
# /opt/adminconsole/plugins/<pluginName>/<filename> will be created
# if <filename> is downloaded successfully from <url>.
'"pluginName": "emi/../../../../../tmp"' +
'}';
# Response may be delayed as the vulnerable server tries to download
# a file from a dead URL link.
if (http_get_read_timeout() < 20)
http_set_read_timeout(20);
res = http_send_recv3(
port : port,
method : 'POST',
item : url,
data : data,
content_type : 'application/json',
exit_on_fail : TRUE
);
# Patched server removed POST support to /api/plugin.
# It returns a '501 Not Implemented'.
if(' 501 ' >< res[0])
audit(AUDIT_LISTEN_NOT_VULN, app, port);
#
# Vulnerable server processes the request and returns 200.
# No file was uploaded to the remote host because a dead download
# URL was used, and installation of <pluginName> failed.
else if(' 200 ' >< res[0])
{
extra = 'Nessus was able to detect the issue by sending the' +
' following HTTP request to the remote host : ' +
'\n' +
'\n' +
http_last_sent_request();
security_report_v4(
port : port,
severity : SECURITY_HOLE,
extra : extra
);
}
# Unexpected response status
else
audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected HTTP response status ' + chomp(res[0]));
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | spectrum_protect_plus | cpe:/a:ibm:spectrum_protect_plus |
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.3%