The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Micro Focus Vibe 4.0.6 HTML Injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2019-046
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: HTML Injection (CWE-79)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: Not assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Micro Focus Vibe is a web-based team collaboration platform that can
serve as a knowledge repository, document management system, project
collaboration hub, process automation machine, corporate intranet or
extranet [1].
The manufacturer describes the product as follows (see [2]):
"Micro Focus Vibe (formerly Novell Vibe) brings people, projects, and
processes together in one secure place to enhance team productivity --
no matter where the team is or what devices they use."
Due to insufficient server-side validation of user input, Vibe is
vulnerable to injection of malicious HTML markup into file titles.
(For a related vulnerability, see our advisory SYSS-2019-047 [3])
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
In Vibe, an uploaded file can be assigned a title that is different
from the filename. While HTML markup is not allowed in filenames, it is
partially accepted in file titles. This behavior poses a low to medium
security risk, because it can be exploited by an authenticated attacker
to inject malicious HTML markup into the title of a file uploaded by
the attacker. For instance, the attacker can submit an external link as
a file title, thus changing Vibe's expected behavior upon clicking on
the title -- the malicious external resource will be requested instead
of the internal page of the uploaded file. With a little social
engineering, authenticated victims can be tricked into submitting their
Vibe credentials to the attacker's server, by directing the victim's
browser to a fake Vibe login page and prompting the victim to log in
again, because of an alleged error.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
An authenticated attacker uploads a file with, e.g., the following
title:
</a><a href="https://evil.me/fakeVibeLogin.html">Meaningful Title
An authenticated victim sees the title "Meaningful Title" on the list of
latest uploads and clicks on it. The victim's browser is directed to the
fake Vibe login page with the URL https://evil.me/fakeVibeLogin.html.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Upgrade Vibe to version 4.0.7.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2019-10-27: Vulnerability discovered
2019-11-07: Vulnerability reported to manufacturer
2020-03-24: Patch released by manufacturer
2020-03-25: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] WikipediA Article on Novelle Vibe
https://en.wikipedia.org/wiki/Novell_Vibe
[2] Product website for Micro Focus Vibe
https://www.microfocus.com/en-us/products/micro-focus-vibe/overview
[3] SySS Security Advisory SYSS-2019-047
Stored Cross-Site Scripting (XSS) in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-047.txt
[4] SySS Security Advisory SYSS-2019-046
HTML Injection in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-046.txt
[5] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.
E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the
SySS GmbH web site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAl59+8YaHHZsYWRpbWly
LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCslug/7BVr87qoAM5WGun8hfUy3
oBgteVtVpAXUMymZktz+NsBL2oN0cLbZ4m0rKMewFN20xRz4AAl6bfN6+2tloKPI
giP6KLAo99Zps1xAGoUVeYvotPeBTG7tV89WBjRVCLIFOw0xBmUZ5dtejkyXfkQw
TGe+DILUxrPLKNZQ7rMuXN89YQZ9QblNxB5z9Dn0W53awrgAGEx6ef2iyJanyrJ/
Gt5+HLrMFumPsWKadYklS31o1R0wVONnAb21H9IC5n8VBK1hSZbrpdzOPgjxr4jV
V9znqC1VeOUrGqUlAClg+3i5uzQ/cqsl5VZRnmhBGNwC0yINUE6Ema8GIXUCFCdT
J/ZneuI9X0AJFNxToqy2WRQQBLRehi7OlgS18+T7Ud18Ie+v+8vNPS2dJoC7Og/p
YKAxjqGUEvFqNzZD7TAoDgXTpsFOM3/HgymrbiI32QtJ7GjP5XbsrsM+euhTV30W
ckvuwaHqYH9CgTdcKosmy0Zr4LBRNv7+4YQBZhxiRUiohUF5wMzWeQDTkJSb1gDV
UpPk6J9eflIEv4aX07+7rJx/ukhKUUy6tgmbJsuhT7e5r59FHd9a2VTx7k+Omqqs
BdSK7BIHMVXFI45sR/k7EJgnRLpVgo2MNdRuikIR+DwD0BuuY41no/6YGLUDRfdZ
TThuN0FOmUqT7Fu9L22xtOc=
=o5ws
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum