English | Deutsch
Home »

OpenVAS Security Advisory (OVSA20110118)

Date: 18th January 2011, updated 24th January 2011
Product: OpenVAS Manager <= 1.0.3 and 2.0rc2
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Medium

Summary

It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability.

The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application. CVE-2011-0650 has been assigned to this vulnerability.

Current Status

As of the 24th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves the command injection vulnerability. New releases of both 1.0.x and 2.0.x have also been created which incorporate this patch. Note that the cross-site address forgery elements of this vulnerability have not yet been addressed in the Greenbone Security Assistant web application however the vulnerability will be resolved prior to the release of OpenVAS 4.

Technical Details

It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows an authenticated user of the Greenbone Security Assistant web application (which communicates with OpenVAS Manager using OMP) to escalate their privileges with just a few clicks although more complex attacks may also be possible.

Escalation of privileges can be achieved accessing the Greenbone Security Assistant, creating an escalator with a modified POST request as follows:

Content-Disposition: form-data; name="method_data:to_address"

none@none>/var/lib/openvas/users/alexander/isadmin

The processing of this request causes GSA to make a request to OpenVAS Manager which causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the email() function from manage_sql.c:

command = g_strdup_printf ("echo \""
                              "To: %s\n"
                              "From: %s\n"
                              "Subject: %s\n"
                              "\n"
                              "%s\""
                              " | /usr/sbin/sendmail %s"	 
                              " > /dev/null 2>&1",	 
                              to_address,
                              from_address ? from_address : "automated@openvas.org",
                              subject,
                              body,
                              to_address);
...
if (ret = system (command)...

As you can see, an attacker can influence both the to and from addresses within the concatenated string. The OpenVAS Manager uses the presence of the file isadmin to determine the privileges associated with the account.

The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application.

Fix

OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r9974 (trunk) or r9976 (1.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from:

In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch.

History

On 14th January 2011, Ronald Kingma contacted Greenbone Networks to report the described vulnerability affecting OpenVAS Manager.

Greenbone Networks began working on patches to resolve the vulnerability. Over the weekend of the 15th and 16th of January, Greenbone Networks applied patches to resolve the vulnerability in trunk and the 1.0 branch respectively.

On the 17th, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure.

The OpenVAS security team, Greenbone Networks and Ronald opened a dialogue in order to draft this advisory and on the 18th, CVE-2011-0018 was assigned for this vulnerability.

The OpenVAS security team continued evaluating the vulnerability, identifying that it may also be triggered using a cross-site request forgery based attack.

OpenVAS Manager 1.0.4 was released on the 19th.

On the 24th, CVE-2011-0650 was assigned to the cross-site request forgery based attack against the Greenbone Security Assistant web application. Greenbone Networks confirm that they have a patch in development but that substantive testing is still required. It is intended that the patch will be incorporated in to Greenbone Security Assistant prior to the OpenVAS 4 release.

Thanks

OpenVAS would like to thank Ronald Kingma and Alexander van Eee of ISSX for their help in reporting the vulnerability.