Vulnerabilities > CVE-2013-6838 - Cryptographic Issues vulnerability in Enghouseinteractive IVR PRO 9.0.3

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
enghouseinteractive
openvz
CWE-310
critical
nessus

Summary

An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000) 9.0.3 (rel903), when using OpenVZ and fallback customization, uses the same SSH private key across different customers' installations, which allows remote attackers to gain privileges by leveraging knowledge of this key.

Vulnerable Configurations

Part Description Count
Application
Enghouseinteractive
1
OS
Openvz
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL familySuSE Local Security Checks
NASL idOPENSUSE-2014-84.NASL
description - Add gnumeric-CVE-2013-6836.patch: fix Heap-buffer-overflow in ms_escher_get_data on a fuzzed xls file (bnc#856254, bgo#712772, CVE-2013-6838).
last seen2020-06-05
modified2014-06-13
plugin id75408
published2014-06-13
reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/75408
titleopenSUSE Security Update : gnumeric (openSUSE-SU-2014:0138-1)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2014-84.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75408);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2013-6836", "CVE-2013-6838");

  script_name(english:"openSUSE Security Update : gnumeric (openSUSE-SU-2014:0138-1)");
  script_summary(english:"Check for the openSUSE-2014-84 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"  - Add gnumeric-CVE-2013-6836.patch: fix
    Heap-buffer-overflow in ms_escher_get_data on a fuzzed
    xls file (bnc#856254, bgo#712772, CVE-2013-6838)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=856254"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2014-01/msg00092.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected gnumeric packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gnumeric");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gnumeric-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gnumeric-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gnumeric-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gnumeric-lang");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.2|SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.2 / 12.3 / 13.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE12.2", reference:"gnumeric-1.11.3-2.5.2") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"gnumeric-debuginfo-1.11.3-2.5.2") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"gnumeric-debugsource-1.11.3-2.5.2") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"gnumeric-devel-1.11.3-2.5.2") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"gnumeric-lang-1.11.3-2.5.2") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"gnumeric-1.12.0-2.4.3") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"gnumeric-debuginfo-1.12.0-2.4.3") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"gnumeric-debugsource-1.12.0-2.4.3") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"gnumeric-devel-1.12.0-2.4.3") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"gnumeric-lang-1.12.0-2.4.3") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"gnumeric-1.12.7-2.5.3") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"gnumeric-debuginfo-1.12.7-2.5.3") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"gnumeric-debugsource-1.12.7-2.5.3") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"gnumeric-devel-1.12.7-2.5.3") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"gnumeric-lang-1.12.7-2.5.3") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnumeric / gnumeric-debuginfo / gnumeric-debugsource / etc");
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/124820/XPD-2013-001.txt
idPACKETSTORM:124820
last seen2016-12-05
published2014-01-17
reporterPeter Norin
sourcehttps://packetstormsecurity.com/files/124820/Enghouse-Interactive-IVR-Pro-VIP2000-Remote-Root.html
titleEnghouse Interactive IVR Pro (VIP2000) Remote Root