what you don't know can hurt you

Bitdefender GravityZone File Disclosure / Missing Authentication

Bitdefender GravityZone File Disclosure / Missing Authentication
Posted Jul 16, 2014
Authored by S. Viehbock | Site sec-consult.com

Bitdefender GravityZone versions prior to 5.1.11.432 suffer from local file disclosure, insecure service configuration, and missing authentication vulnerabilities.

tags | exploit, local, vulnerability
MD5 | f532a7346452550138acf848b8953d7b

Bitdefender GravityZone File Disclosure / Missing Authentication

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140716-3 >
=======================================================================
title: Multiple critical vulnerabilities
product: Bitdefender GravityZone
vulnerable version: <5.1.11.432
fixed version: >=5.1.11.432
impact: critical
homepage: http://www.bitdefender.com
found: 2014-05-22
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
Bitdefender GravityZone lets enterprises control and protect the heterogeneous
environments of today. The solution combines highly optimized virtualization
aware security with leading detection technologies and a fresh, but proven,
architecture. It empowers administrators with features adapted to reduce the
daily security hassle and eliminate the need for point solutions with unified
protection across virtualized, physical, and mobile endpoints. Unlike other
solutions that bolt-on modules to an aging architecture, the GravityZone
Control Center dashboard has been designed specifically to unify monitoring
and security management in a single simple and accessible interface.

Source:
http://download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdf


Business recommendation:
- ------------------------
Attackers are able to completely compromise the Bitdefender GravityZone
solution as they can gain system and database level access.
Furthermore attackers can manage all endpoints.

The Bitdefender GravityZone can be used as an entry point into the target
infrastructure (lateral movement, privilege escalation).

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
- -----------------------------------
1) Unauthenticated local file disclosure (Web Console, Update Server)
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the "nginx" operating system user. These files include
configuration files containing sensitive information such as clear text
passwords which can be used in further attacks.

Separate vulnerabilities affecting both Web Console and Update Server were
found.


2) Insecure service configuration / design issues
The MongoDB database which is offered via the network by default (TCP ports
27017, 28017) can be accessed using hardcoded credentials which can't be
changed. The overall system design requires the database to be accessible via
the network.
All relevant GravityZone configuration data can be accessed and changed. This
includes the user table.

Excerpt from the documentation describing the TCP port 27017:
"Default port used by the Communication Server and Control Center to access
the Database."


3) Missing authentication
Authentication is not required for certain scripts in the web UI. This
allows unauthenticated attackers to execute administrative functions without
prior authentication.


Proof of concept:
- -----------------
1) Unauthenticated local file disclosure (Web Console, Update Server)
Arbitrary files can be downloaded via a vulnerable script:
https://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd

The Update Server is vulnerable to local file disclosure as well. Arbitrary
files can be downloaded using the following HTTP request:

GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: <host>:7074

2) Insecure service configuration / Design issues
Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the
following hardcoded credentials:
Username: <removed>
Password: <removed>

Detailed proof of concept exploits have been removed for this vulnerability.

3) Missing authentication
Authentication is not required for the following script:
/webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)



Vulnerable / tested versions:
- -----------------------------
The vulnerabilities have been verified to exist in GravityZone 5.1.5.386,
which was the most recent version at the time of discovery.



Vendor contact timeline:
- ------------------------
2014-05-26: Sending responsible disclosure policy and requesting encryption
keys.
2014-05-26: Vendor responds providing encryption keys.
2014-05-26: Sending advisory and proof of concept exploit via encrypted
channel.
2014-05-26: Vendor confirms receipt.
2014-06-04: Requesting status update.
2014-06-14: Vendor provides status update. Update will be released "End of
June".
2014-06-26: Vendor provides status update. Update for issue #1 and #3 will
be released June 30. Update for issue #2 will be released at the
end of July.
2014-06-27: Requesting info about other affected products. Clarifying
disclosure of issue #2.
2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped
and KB article for issue #2 will be released.
2014-07-15: Requesting version numbers of affected products.
2014-07-16: SEC Consult releases coordinated security advisory.



Solution:
- ---------
Update to a more recent version of Bitdefender GravityZone _and_
implement mitigations for the issue #2.

More information can be found at:
http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html


Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEbBAEBAgAGBQJTxm3VAAoJECyFJyAEdlkK44YH92rabwfDATSQDgKIfyMZQS0B
4NtCcFEZAN2iztvgk7JsFtCmpXhHKuXzqcrDhzPpLed4aoBDW0qZ6HkthPFil125
WGFVvfHY66Fg1DL89WoBIykj6Pou/vN3mWafZoacmjLApeLoBatybnHQE1Be7rs7
XcXWQeOlhodgT0Lllm+v/hP/+lXG0kA8yNTdNnUwtNr2j3StfuKuBgYegMhvzYl3
ilKfgGpruRgJpIFI0JYar+r/cnVCn/+G/v7+UXlzmMpD+VGhqhcPtJhPlaQaHRpx
kT49c1EoHOvzEtJhNEsCvEaLcZwNDRfzgEE1IgsPilUcgPklDfoZNWeFKW1qoQ==
=6+mk
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close