Synopsis
The remote IBM Storwize device is affected by multiple vulnerabilities.
Description
The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities :
- A denial of service vulnerability exists due to a flaw in the bundled version of Apache HTTP Server. A remote attacker can exploit this, via partial HTTP requests, to cause a daemon outage, resulting in a denial of service condition. (CVE-2007-6750)
- An HTTP request smuggling vulnerability exists due to a flaw in the bundled version of Apache Tomcat; when an HTTP connector or AJP connector is used, Tomcat fails to properly handle certain inconsistent HTTP request headers. A remote attacker can exploit this flaw, via multiple Content-Length headers or a Content-Length header and a 'Transfer-Encoding: chunked' header, to smuggle an HTTP request in one or more Content-Length headers. (CVE-2013-4286)
- A denial of service vulnerability exists in the bundled version of Apache Tomcat due to improper processing of chunked transfer coding with a large amount of chunked data or whitespace characters in an HTTP header value within a trailer field. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2013-4322)
- A denial of service vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an integer overflow condition exists in the parseChunkHeader() function in ChunkedInputFilter.java. A remote attacker can exploit this, via a malformed chunk size that is part of a chunked request, to cause excessive consumption of resources, resulting in a denial of service condition. (CVE-2014-0075)
- A remote code execution vulnerability exists due to a flaw in the bundled version of Apache Struts. A remote attacker can manipulate the ClassLoader via the class parameter, resulting in the execution of arbitrary Java code. (CVE-2014-0094)
- An XML External Entity (XXE) injection vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an incorrectly configured XML parser accepts XML external entities from an untrusted source via XSLT.
A remote attacker can exploit this, by sending specially crafted XML data, to gain access to arbitrary files.
(CVE-2014-0096)
- An integer overflow condition exists in the bundled version of Apache Tomcat. A remote attacker, via a crafted Content-Length HTTP header, can conduct HTTP request smuggling attacks. (CVE-2014-0099)
- An information disclosure vulnerability exists due to a flaw in the bundled version of Apache Tomcat. Tomcat fails to properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet. A remote attacker can exploit this, via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, to read arbitrary files. (CVE-2014-0119)
- A flaw exists in a bundled version of Samba due to a flaw in the vfswrap_fsctl() function that is triggered when responding to FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information from process memory. (CVE-2014-0178)
- Multiple flaws exist in the bundled version of Mozilla Firefox that allow a remote attacker to execute arbitrary code. (CVE-2014-1555, CVE-2014-1556, CVE-2014-1557)
- An information disclosure vulnerability exists due to the chkauth password being saved in plaintext in the audit log. A local attacker can exploit this to gain administrator access. (CVE-2014-3077)
- A denial of service vulnerability exists due to a flaw in the bundled version of Samba. An authenticated, remote attacker can exploit this, via an attempt to read a Unicode pathname without specifying the use of Unicode, to cause an application crash. (CVE-2014-3493)
- A security bypass vulnerability exists due to an unspecified flaw. A remote attacker can exploit this flaw to reset the administrator password to its default value via a direct request to the administrative IP address. Note that this vulnerability only affects the 1.4.x release levels. (CVE-2014-4811)
Solution
Upgrade to IBM Storwize version 1.4.3.4 / 1.5.0.2 or later.
Plugin Details
File Name: ibm_storwize_1_5_0_2.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: cpe:/a:ibm:san_volume_controller_software, cpe:/h:ibm:storwize_unified_v7000, cpe:/h:ibm:storwize_v3500, cpe:/h:ibm:storwize_v7000, cpe:/a:ibm:storwize_v7000_unified_software, cpe:/a:ibm:storwize_v7000_software, cpe:/h:ibm:storwize_v5000, cpe:/a:ibm:storwize_v3700_software, cpe:/h:ibm:san_volume_controller, cpe:/h:ibm:storwize_v3700, cpe:/a:ibm:storwize_v5000_software, cpe:/a:ibm:storwize_v3500_software
Required KB Items: Host/IBM/Storwize/version, Host/IBM/Storwize/machine_major, Host/IBM/Storwize/display_name
Exploit Ease: Exploits are available
Patch Publication Date: 7/15/2015
Vulnerability Publication Date: 1/3/2007
Exploitable With
Core Impact
Metasploit (Apache Struts ClassLoader Manipulation Remote Code Execution)
Reference Information
CVE: CVE-2007-6750, CVE-2013-4286, CVE-2013-4322, CVE-2014-0075, CVE-2014-0094, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0178, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-3077, CVE-2014-3493, CVE-2014-4811
BID: 21865, 65767, 65773, 65999, 67667, 67668, 67669, 67671, 67686, 68150, 68814, 68822, 68824, 69771, 69773