Vulnerabilities > CVE-2011-2893 - Resource Management Errors vulnerability in IBM Lotus Symphony 3.0.0/3.0.0.1/3.0.0.2

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
ibm
CWE-399
nessus

Summary

The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference.

Vulnerable Configurations

Part Description Count
Application
Ibm
3

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idLOTUS_SYMPHONY_3_0_FP3.NASL
descriptionThe version of IBM Lotus Symphony was found to be less than 3.0 Fix Pack 3. Such versions are affected by multiple vulnerabilities: - Multiple unspecified vulnerabilities. (CVE-2011-2884) - Opening a .doc document with a user defined toolbar can cause an application crash. (CVE-2011-2885) - Opening a .docx document with empty bullet styles for parent bullets will cause an application crash. (CVE-2011-2886) - Opening in DataPilot a large .xls file that contains an invalid
last seen2020-06-01
modified2020-06-02
plugin id59036
published2012-05-08
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/59036
titleIBM Lotus Symphony < 3.0 Fix Pack 3 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(59036);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id(
    "CVE-2011-2884",
    "CVE-2011-2885",
    "CVE-2011-2886",
    "CVE-2011-2888",
    "CVE-2011-2893"
  );
  script_bugtraq_id(48936);

  script_name(english:"IBM Lotus Symphony < 3.0 Fix Pack 3 Multiple Vulnerabilities");
  script_summary(english:"Checks version of IBM Lotus Symphony");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has an application installed that is affected by
multiple vulnerabilities. "
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of IBM Lotus Symphony was found to be less than 3.0 Fix
Pack 3.  Such versions are affected by multiple vulnerabilities:

  - Multiple unspecified vulnerabilities.
    (CVE-2011-2884)

  - Opening a .doc document with a user defined toolbar can 
    cause an application crash. (CVE-2011-2885)

  - Opening a .docx document with empty bullet styles for 
    parent bullets will cause an application crash. 
    (CVE-2011-2886)

  - Opening in DataPilot a large .xls file that contains an
    invalid 'Value' reference, modifying it, and then
    saving it will cause an application crash.
    (CVE-2011-2893)

  - The application freezes when opening a presentation that
    contains many complex graphics. (CVE-2011-2888)"
  );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?67ef5d5e");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to IBM Lotus Symphony 3.0 Fix Pack 3 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:lotus_symphony");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("lotus_symphony_installed.nasl");
  script_require_keys("SMB/Lotus_Symphony/Installed");
  
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");

appname = "Lotus Symphony";

kb_base = "SMB/Lotus_Symphony/";
port = get_kb_item("SMB/transport");

get_kb_item_or_exit(kb_base + "Installed");
version = get_kb_item_or_exit(kb_base + "Version");

# extract build timestamp
item = eregmatch(pattern:"([0-9]+)-([0-9]+)$", string:version);
if (isnull(item)) exit(1, "Error parsing the version string ("+version+").");

# date/time
dt = int(item[1]);
tm = int(item[2]);

if(
   dt < 20110707 ||
   (dt == 20110707 && tm < 1500)
)
{
  if (report_verbosity > 0)
  {
    path = get_kb_item(kb_base + "Path");
    ver_ui = get_kb_item(kb_base + "Version_UI");
    report = '\n  Path              : ' + path + 
             '\n  Installed version : ' + ver_ui +
             '\n  Fixed version     : 3.0 Fix Pack 3 (3.0.0.20110707-1500)\n';
   security_hole(port:port,extra:report);
  }
  else security_hole(port);
  exit(0);
} 
else audit(AUDIT_INST_VER_NOT_VULN, appname, version);