Vulnerabilities > CVE-2008-2234 - Buffer Errors vulnerability in Openwsman 1.2.0/2.0.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple buffer overflows in Openwsman 1.2.0 and 2.0.0 allow remote attackers to execute arbitrary code via a crafted "Authorization: Basic" HTTP header.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_LIBWSMAN-DEVEL-5531.NASL description This update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233) last seen 2020-06-01 modified 2020-06-02 plugin id 34025 published 2008-08-22 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34025 title openSUSE 10 Security Update : libwsman-devel (libwsman-devel-5531) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update libwsman-devel-5531. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(34025); script_version ("1.15"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2008-2233", "CVE-2008-2234"); script_xref(name:"IAVB", value:"2008-B-0064"); script_name(english:"openSUSE 10 Security Update : libwsman-devel (libwsman-devel-5531)"); script_summary(english:"Check for the libwsman-devel-5531 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)" ); script_set_attribute( attribute:"solution", value:"Update the affected libwsman-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(94, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/22"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"openwsman-1.2.0-14.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"openwsman-client-1.2.0-14.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"openwsman-devel-1.2.0-14.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"openwsman-server-1.2.0-14.4") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openwsman"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBWSMAN-DEVEL-080814.NASL description This update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233) last seen 2020-06-01 modified 2020-06-02 plugin id 40053 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40053 title openSUSE Security Update : libwsman-devel (libwsman-devel-157) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update libwsman-devel-157. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40053); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:31"); script_cve_id("CVE-2008-2233", "CVE-2008-2234"); script_xref(name:"IAVB", value:"2008-B-0064"); script_name(english:"openSUSE Security Update : libwsman-devel (libwsman-devel-157)"); script_summary(english:"Check for the libwsman-devel-157 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of openwsman fixes several security vulnerabilities found by the SuSE Security-Team : - remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=373693" ); script_set_attribute( attribute:"solution", value:"Update the affected libwsman-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(94, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwsman-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwsman1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openwsman-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"libwsman-devel-2.0.0-3.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libwsman1-2.0.0-3.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"openwsman-client-2.0.0-3.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"openwsman-python-2.0.0-3.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"openwsman-ruby-2.0.0-3.3") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"openwsman-server-2.0.0-3.3") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openwsman"); }
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2008-0015.NASL description a. Updated Openwsman Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the VMware Management Service Console and in ESXi. The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is vulnerable to the following issue found by the SuSE Security-Team : - Two remote buffer overflows while decoding the HTTP basic authentication header This vulnerability could potentially be exploited by users without valid login credentials. Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi 3.5 patch ESXe350-200808201-O-UG updated openwsman to version 2.0.0. The ESX 3.5 patch ESX350-200808205-UG updated openwsman to version 2.0.0. These patches are installed as part of the ESX and ESXi Upgrade 2 release. The ESX patch can be installed individually. Version Information and Workaround The following VMware KB articles provide information on how to obtain the version of openwsman in your environment and what a possible workaround for the issue might be. ESXi 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1005818. ESX 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1006878. Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2234 this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 52010 published 2011-02-17 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52010 title VMSA-2008-0015 : Updated ESXi and ESX 3.5 packages address critical security issue in openwsman code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2008-0015. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(52010); script_version("1.17"); script_cvs_date("Date: 2018/09/06 14:40:26"); script_cve_id("CVE-2008-2234"); script_xref(name:"VMSA", value:"2008-0015"); script_xref(name:"IAVB", value:"2008-B-0064"); script_name(english:"VMSA-2008-0015 : Updated ESXi and ESX 3.5 packages address critical security issue in openwsman"); script_summary(english:"Checks esxupdate output for the patch"); script_set_attribute( attribute:"synopsis", value:"The remote VMware ESXi host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "a. Updated Openwsman Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the VMware Management Service Console and in ESXi. The openwsman 2.0.0 management service on ESX 3.5 and ESXi 3.5 is vulnerable to the following issue found by the SuSE Security-Team : - Two remote buffer overflows while decoding the HTTP basic authentication header This vulnerability could potentially be exploited by users without valid login credentials. Openwsman before 2.0.0 is not vulnerable to this issue. The ESXi 3.5 patch ESXe350-200808201-O-UG updated openwsman to version 2.0.0. The ESX 3.5 patch ESX350-200808205-UG updated openwsman to version 2.0.0. These patches are installed as part of the ESX and ESXi Upgrade 2 release. The ESX patch can be installed individually. Version Information and Workaround The following VMware KB articles provide information on how to obtain the version of openwsman in your environment and what a possible workaround for the issue might be. ESXi 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1005818. ESX 3.5 Refer to the VMware KB article at http://kb.vmware.com/kb/1006878. Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-2234 this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2008/000034.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/17"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2008-09-18"); flag = 0; if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-200808501-I-SG")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Saint
bid | 30694 |
description | Openwsman HTTP Basic Authentication buffer overflow |
id | web_tool_openwsmanver |
osvdb | 47534 |
title | openwsman_basic_auth |
type | remote |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 30694 CVE(CAN) ID: CVE-2008-2234,CVE-2008-2233 Openwsman是开放源代码的WEB服务管理规范的实现。 Openwsman在解码HTTP基础认证头时存在两个缓冲区溢出漏洞,其客户端受SSL会话中继攻击影响,如果远程攻击者向有漏洞的系统发送了畸形报文的话,就可以触发这些漏洞,导致执行任意指令。 Openwsman Openwsman 2.0 Openwsman Openwsman 1.2 Openwsman --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.openwsman.org/project/openwsman target=_blank>http://www.openwsman.org/project/openwsman</a> |
id | SSV:3886 |
last seen | 2017-11-19 |
modified | 2008-08-20 |
published | 2008-08-20 |
reporter | Root |
title | Openwsman多个远程安全漏洞 |
References
- http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00003.html
- http://lists.vmware.com/pipermail/security-announce/2008/000034.html
- http://secunia.com/advisories/31410
- http://secunia.com/advisories/31429
- http://secunia.com/advisories/31942
- http://www.securityfocus.com/archive/1/496528/100/0/threaded
- http://www.securityfocus.com/bid/30694
- http://www.vmware.com/security/advisories/VMSA-2008-0015.html
- http://www.vupen.com/english/advisories/2008/2397
- http://www.vupen.com/english/advisories/2008/2624
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44481
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44484