{"vuid":"VU#449452","idnumber":"449452","name":"Zenoss Core contains multiple vulnerabilities","keywords":[""],"overview":"The Zenoss Core application, server, and network management platform software contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code.","clean_desc":"The Zenoss Core application, server, and network management platform software version 4.2.4 contains a collection of vulnerabilities that impacts several aspects of the software. A brief summary of the types of vulnerabilities present is provided below. CVE-2014-6253: Systemic Cross Site Request Forgery\nCVE-2014-6254: Systemic Stored Cross-Site Scripting in Zenoss Attributes\nCVE-2014-6254: Cross Site Scripting from Exposed Helper Methods\nCVE-2014-6255: Open Redirect in Login Form\nCVE-2014-6256: Authorization Bypass Allows Moving Arbitrary Files\nCVE-2014-6257: Systemic Authorization Bypasses\nCVE-2014-6258: Denial of Service from User-Supplied Regular Expression\nCVE-2014-6259: Denial of Service via XML Recursive Entity Expansion (\"Billion Laughs\")\nCVE-2014-6260: Page Command can be Edited Without Password Re-Entry\nCVE-2014-6261: Remote Code Execution via Version Check\nCVE-2014-6262: Denial of Service via RRDtool Format String Vulnerability  (this vulnerability is due to RRDtool)\nCVE-2014-9245: Stack Trace Contains Internal URLs and Other Sensitive Information\nCVE-2014-9246: Cross-Site Request Forgery Leads to ZenPack Installation\nCVE-2014-9246: Sessions Do Not Expire\nCVE-2014-9247: User Enumeration via User Manager\nCVE-2014-9248: No Password Complexity Requirements\nCVE-2014-9249: Exposed Services in Default Configuration\nCVE-2014-9250: Cookie Authentication is Insecure\nCVE-2014-9251: Weak Password Hashing Algorithm\nCVE-2014-9252: Plaintext Password Stored in Session on Server For more details, please see this spreadsheet, specifically the \"Impact Description\" column. Included in the linked spreadsheet are Zenoss tracking numbers for each issue. The CVSS score below is based on CVE-2014-9246.","impact":"The most severe issues (CVE-2014-6261 and CVE-2014-9246) allow remote code execution and installation of arbitrary packages, allowing full compromise of the system running Zenoss. For more details, please see this spreadsheet, specifically the \"Impact Description\" column.","resolution":"Apply an update manually CVE-2014-6255 and CVE-2014-9246 (Sessions Do Not Expire) are resolved in the latest Zenoss Core 4.2.5 SP. Manually download the update as described below (\"Disable automatic update check\"), and apply the update as soon as possible. Zenoss plans for most of the rest of the issues to be addressed in a future maintenance release of Zenoss Core 5. For more information, please see this spreadsheet; specifically the \"Vendor Status\" column which provides the vendor's response for the issue, and the \"Zenoss Bug ID\" column which provides Zenoss's internal tracking number for the issue.","workarounds":"Use SSL/HTTPS CVE-2014-9250 can be mitigated by enabling SSL/HTTPS to better protect cookie-based authentication data. Please see Zenoss's recommendation in this spreadsheet. Disable automatic update check CVE-2014-6261 can be mitigated by unchecking \"Check For Updates\" in the Zenoss Versions page in the web interface. Note that you can also manually check for updates in the web interface, which triggers the same actions, and is therefore also vulnerable. Instead, users should check the Zenoss website for new versions, rather than using the in-app check. To avoid CSRF exploitation, users should also use a separate browser (or profile) for Zenoss, that is not shared with any other browsing.","sysaffected":"","thanks":"Thanks to Ryan Koppenhaver and Andy Schmitz of Matasano Security for reporting these vulnerabilities.","author":"This document was written by Garret Wassermann.","public":["h","t","t","p","s",":","/","/","d","o","c","s",".","g","o","o","g","l","e",".","c","o","m","/","s","p","r","e","a","d","s","h","e","e","t","s","/","d","/","1","d","H","A","c","4","P","x","U","b","s","-","4","D","x","z","m","1","w","S","C","E","0","s","M","z","5","U","C","M","Y","6","S","W","3","P","l","M","H","S","y","u","u","Q","/","e","d","i","t","?","u","s","p","=","s","h","a","r","i","n","g"],"cveids":["CVE-2014-6253","CVE-2014-6254","CVE-2014-9245","CVE-2014-6255","CVE-2014-6261","CVE-2014-6256","CVE-2014-9246","CVE-2014-9247","CVE-2014-9248","CVE-2014-6257","CVE-2014-9249","CVE-2014-9250","CVE-2014-6258","CVE-2014-6260","CVE-2014-9251","CVE-2014-6259","CVE-2014-6262","CVE-2014-9252"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-10-10T11:10:47Z","publicdate":"2014-12-05T00:00:00Z","datefirstpublished":"2014-12-05T18:35:09Z","dateupdated":"2014-12-08T15:54:03Z","revision":46,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"8.5","cvss_basevector":"AV:N/AC:M/Au:S/C:C/I:C/A:C","cvss_temporalscore":"7.7","cvss_environmentalscore":"7.65519552","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}