Vulnerabilities > CVE-2008-2234 - Buffer Errors vulnerability in Openwsman 1.2.0/2.0.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openwsman
CWE-119
nessus

Summary

Multiple buffer overflows in Openwsman 1.2.0 and 2.0.0 allow remote attackers to execute arbitrary code via a crafted "Authorization: Basic" HTTP header.

Vulnerable Configurations

Part Description Count
Application
Openwsman
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIBWSMAN-DEVEL-5531.NASL
    descriptionThis update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)
    last seen2020-06-01
    modified2020-06-02
    plugin id34025
    published2008-08-22
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34025
    titleopenSUSE 10 Security Update : libwsman-devel (libwsman-devel-5531)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update libwsman-devel-5531.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34025);
      script_version ("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:32");
    
      script_cve_id("CVE-2008-2233", "CVE-2008-2234");
      script_xref(name:"IAVB", value:"2008-B-0064");
    
      script_name(english:"openSUSE 10 Security Update : libwsman-devel (libwsman-devel-5531)");
      script_summary(english:"Check for the libwsman-devel-5531 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of openwsman fixes several security vulnerabilities found
    by the SuSE Security-Team :
    
      - remote buffer overflows while decoding the HTTP basic
        authentication header (CVE-2008-2234)
    
      - a possible SSL session replay attack affecting the
        client (depending on the configuration) (CVE-2008-2233)"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libwsman-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(94, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/22");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.3", reference:"openwsman-1.2.0-14.4") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"openwsman-client-1.2.0-14.4") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"openwsman-devel-1.2.0-14.4") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"openwsman-server-1.2.0-14.4") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openwsman");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_LIBWSMAN-DEVEL-080814.NASL
    descriptionThis update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)
    last seen2020-06-01
    modified2020-06-02
    plugin id40053
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40053
    titleopenSUSE Security Update : libwsman-devel (libwsman-devel-157)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update libwsman-devel-157.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40053);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:31");
    
      script_cve_id("CVE-2008-2233", "CVE-2008-2234");
      script_xref(name:"IAVB", value:"2008-B-0064");
    
      script_name(english:"openSUSE Security Update : libwsman-devel (libwsman-devel-157)");
      script_summary(english:"Check for the libwsman-devel-157 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of openwsman fixes several security vulnerabilities found
    by the SuSE Security-Team :
    
      - remote buffer overflows while decoding the HTTP basic
        authentication header (CVE-2008-2234)
    
      - a possible SSL session replay attack affecting the
        client (depending on the configuration) (CVE-2008-2233)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=373693"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libwsman-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(94, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwsman-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwsman1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"libwsman-devel-2.0.0-3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"libwsman1-2.0.0-3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"openwsman-client-2.0.0-3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"openwsman-python-2.0.0-3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"openwsman-ruby-2.0.0-3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"openwsman-server-2.0.0-3.3") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openwsman");
    }
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0015.NASL
    descriptiona. Updated Openwsman Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the VMware Management Service Console and in ESXi. The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is vulnerable to the following issue found by the SuSE Security-Team : - Two remote buffer overflows while decoding the HTTP basic authentication header This vulnerability could potentially be exploited by users without valid login credentials. Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi 3.5 patch ESXe350-200808201-O-UG updated openwsman to version 2.0.0. The ESX 3.5 patch ESX350-200808205-UG updated openwsman to version 2.0.0. These patches are installed as part of the ESX and ESXi Upgrade 2 release. The ESX patch can be installed individually. Version Information and Workaround The following VMware KB articles provide information on how to obtain the version of openwsman in your environment and what a possible workaround for the issue might be. ESXi 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1005818. ESX 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1006878. Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2234 this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id52010
    published2011-02-17
    reporterThis script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/52010
    titleVMSA-2008-0015 : Updated ESXi and ESX 3.5 packages address critical security issue in openwsman
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2008-0015. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(52010);
      script_version("1.17");
      script_cvs_date("Date: 2018/09/06 14:40:26");
    
      script_cve_id("CVE-2008-2234");
      script_xref(name:"VMSA", value:"2008-0015");
      script_xref(name:"IAVB", value:"2008-B-0064");
    
      script_name(english:"VMSA-2008-0015 : Updated ESXi and ESX 3.5 packages address critical security issue in openwsman");
      script_summary(english:"Checks esxupdate output for the patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote VMware ESXi host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a.  Updated Openwsman
    
      Openwsman is a system management platform that implements the Web
      Services Management protocol (WS-Management). It is installed and
      running by default. It is used in the VMware Management Service
      Console and in ESXi.
    
      The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is
      vulnerable to the following issue found by the SuSE Security-Team :
    
      - Two remote buffer overflows while decoding the HTTP basic
        authentication header
    
      This vulnerability could potentially be exploited by users without
      valid login credentials.
     
      Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi
      3.5 patch ESXe350-200808201-O-UG updated openwsman to version 2.0.0.
      The ESX 3.5 patch ESX350-200808205-UG updated openwsman to version
      2.0.0. These patches are installed as part of the ESX and ESXi
      Upgrade 2 release. The ESX patch can be installed individually.
    
      Version Information and Workaround
      The following VMware KB articles provide information on how to
      obtain the version of openwsman in your environment and what a
      possible workaround for the issue might be.
      ESXi 3.5
        Refer to the VMware KB article at http://kb.vmware.com/kb/1005818.
      ESX 3.5
        Refer to the VMware KB article at http://kb.vmware.com/kb/1006878.
    
      Note: This vulnerability can be exploited remotely only if the
            attacker has access to the service console network.
            Security best practices provided by VMware recommend that the
            service console be isolated from the VM network. Please see
            http://www.vmware.com/resources/techresources/726 for more
            information on VMware security best practices.
    
      The Common Vulnerabilities and Exposures Project (cve.mitre.org)
      has assigned the name CVE-2008-2234 this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2008/000034.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patch.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/09/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/17");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2008-09-18");
    flag = 0;
    
    
    if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-200808501-I-SG")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Saint

bid30694
descriptionOpenwsman HTTP Basic Authentication buffer overflow
idweb_tool_openwsmanver
osvdb47534
titleopenwsman_basic_auth
typeremote

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30694 CVE(CAN) ID: CVE-2008-2234,CVE-2008-2233 Openwsman是开放源代码的WEB服务管理规范的实现。 Openwsman在解码HTTP基础认证头时存在两个缓冲区溢出漏洞,其客户端受SSL会话中继攻击影响,如果远程攻击者向有漏洞的系统发送了畸形报文的话,就可以触发这些漏洞,导致执行任意指令。 Openwsman Openwsman 2.0 Openwsman Openwsman 1.2 Openwsman --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.openwsman.org/project/openwsman target=_blank>http://www.openwsman.org/project/openwsman</a>
idSSV:3886
last seen2017-11-19
modified2008-08-20
published2008-08-20
reporterRoot
titleOpenwsman多个远程安全漏洞