The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: LISTSERV Maestro 9.0-8 Remote Code Execution
Document Title:
===============
LISTSERV Maestro Remote Code Execution Vulnerability
References (Source):
====================
https://www.securifera.com/advisories/sec-2020-0001/
https://www.lsoft.com/products/maestro.asp
Release Date:
=============
2020-10-20
Product & Service Introduction:
===============================
LISTSERV Maestro is an enterprise email marketing solution and allows you to
easily engage your subscribers with targeted, intelligence-based opt-in
campaigns. It offers easy tracking, reporting and list segmentation in a
complete email marketing and analytics package.
Vulnerability Information:
==============================
Class: CWE-917 : Expression Language (EL) Injection
Impact: Remote Code Execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-1870
Vulnerability Description:
==============================
A unauthenticated remote code execution vulnerability was found in the
LISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems
from a known issue in struts, CVE-2010-1870, that allows for code execution
via OGNL Injection. This vulnerability has been confirmed to be exploitable
in both the Windows and Linux version of the software and has existed in the
LISTSERV Maestro software since at least version 8.1-5. As a result, a
specially crafted HTTP request can be constructed that executes code in the
context of the web application. Exploitation of this vulnerability does not
require authentication and can lead to root level privilege on any system
running the LISTServ Maestro services.
Vulnerability Disclosure Timeline:
==================================
2020-10-12: Contact Vendor and Request Security Contact Info From Support
Team
2020-10-12: Report Vulnerability Information to Vendor
2020-10-12: Vendor Confirms Submission
2020-10-13: Vendor Releases Patch
2020-10-13: Securifera Confirms With Vendor that the Patch Mitigates
CVE-2010-1870 but suggest upgrading vulnerable struts library
2020-10-15: Vendor Approves Public Disclosure
Affected Product(s):
====================
LISTSERV Maestro 9.0-8 and prior
Severity Level:
===============
High
Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.
Solution - Fix & Patch:
=======================
Temporary patch:
https://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip
Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated
as high. (CVSS 10.0)
Credits & Authors:
==================
Securifera, Inc - b0yd (@rwincey)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Securifera disclaims all
warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. Securifera is not liable in any
case of damage,
including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Securifera
or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential
or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any licenses, policies, or hack into any
systems.
Domains: www.securifera.com
Contact: contact [at] securifera [dot] com
Social: twitter.com/securifera
Copyright C 2020 | Securifera, Inc
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum