| code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(72583);
script_version("1.8");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2014-1467");
script_bugtraq_id(65609);
script_name(english:"BlackBerry Enterprise Server / Enterprise Service / Enterprise Server Express Information Disclosure (KB35647)");
script_summary(english:"Checks version");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by an
information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of BlackBerry Enterprise Server on the remote host
reportedly contains an error related to logging and enterprise instant
messages that could allow disclosure of sensitive information like
shared secrets and domain credentials.");
# https://salesforce.services.blackberry.com/kbredirect/viewContent.do?externalID=KB35647
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?438273f4");
script_set_attribute(attribute:"solution", value:
"Apply the vendor-supplied patches.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1467");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/11");
script_set_attribute(attribute:"patch_publication_date", value:"2014/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:blackberry:enterprise_server");
script_set_attribute(attribute:"cpe", value:"cpe:/a:blackberry:enterprise_server_express");
script_set_attribute(attribute:"cpe", value:"cpe:/a:blackberry:blackberry_enterprise_service");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("blackberry_es_installed.nasl", "smb_hotfixes.nasl");
script_require_keys("BlackBerry_ES/Product", "BlackBerry_ES/Path", "BlackBerry_ES/Version", "SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("bsal.inc");
include("byte_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("zip.inc");
# Patched BAS jar file, basSystemServer.jar, contains
# a file pom.properties that contains a creation date.
# Get that date string and return it along with a
# converted version of it (use for comparison).
# Return is NULL if there are any issues, otherwise,
# return is an array containing the items noted above.
function get_pom_date(path)
{
local_var pom_date, matches, lines, line, month_integer;
local_var fh, name, port, login, pass, domain, rc;
local_var soc, share, dir, date_pat, pom_file;
fh = CreateFile(
file:path,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
pom_file = zip_parse(smb:fh, "META-INF/maven/com.rim.bes.bas/bas.server.system/pom.properties");
CloseFile(handle:fh);
}
if (isnull(pom_file)) return NULL;
# Extract date string from pom.properties file.
if ("#Generated by Maven" >< pom_file)
{
date_pat = "^#(Mon|Tue|Wed|Th|Fri|Sat|Sun) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) [A-Z][A-Z][A-Z] ([12][0-9][0-9][0-9])";
# "#Dow Mon DD HH:MM:SS {zone} YYYY"
line = egrep(string:pom_file, pattern:date_pat);
if (!(line)) return NULL;
}
else return NULL;
matches = eregmatch(string:line, pattern:date_pat);
if (isnull(matches)) return NULL;
month_integer = make_array("Jan", "01", "Feb", "02", "Mar", "03", "Apr", "04", "May", "05", "Jun", "06", "Jul", "07", "Aug", "08", "Sep", "09", "Oct", "10", "Nov", "11", "Dec", "12");
pom_date = matches[5] + # YYYY
month_integer[matches[2]] + # MM
matches[3] + # DD
matches[4]; # HH:MM:SS
pom_date = str_replace(string:pom_date, find:":", replace:"");
# YYYYMMDDHHMMSS
return make_array(
'date_string', str_replace(string:matches[0], find:"#", replace:""),
'date_converted', pom_date
);
}
# Patched BBIM jar file, jaxb-api.jar, contains
# a class file, ContextFinder.class, that
# introduces several new strings in the patched
# version. Ensure those strings are present and
# return TRUE if patched.
function jaxb_jar_patch_is_installed(path)
{
local_var fh, contextfinderclass_file;
fh = CreateFile(
file:path,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
contextfinderclass_file = zip_parse(smb:fh, "javax/xml/bind/ContextFinder.class");
CloseFile(handle:fh);
}
# File does not exist and thus, no Collaboration
# component installed, thus no need to patch.
else return TRUE;
# If could not parse, ignore.
if (!contextfinderclass_file) return TRUE;
# These are strings in the patched version.
# These strings are NOT present in the vuln version.
if (
"safeLoadClass" >< contextfinderclass_file &&
"checkPackageAccess" >< contextfinderclass_file &&
"getSecurityManager" >< contextfinderclass_file &&
"java/lang/SecurityException" >< contextfinderclass_file
) return TRUE;
else return FALSE;
}
#
# Plugin code starts here
#
prod = get_kb_item_or_exit("BlackBerry_ES/Product");
version = get_kb_item_or_exit("BlackBerry_ES/Version");
base_dir = get_kb_item_or_exit("BlackBerry_ES/Path");
BES5 = FALSE;
BES10 = FALSE;
BES_EXPRESS = FALSE;
# Enterprise Server and Express
if (
"Enterprise Server" >< prod &&
(
version =~ "^[0-4]\." ||
version =~ "^5\.0"
)
)
{
if (
("Microsoft Exchange" >< prod || "IBM Lotus Domino" >< prod || "Novell GroupWise" >< prod)
&& "Express" >!< prod
) BES5 = TRUE;
if (
("Microsoft Exchange" >< prod || "IBM Lotus Domino" >< prod)
&& "Express" >< prod
) BES_EXPRESS = TRUE;
}
# Enterprise Service 10.x before 10.2.1
else if ("Enterprise Service" >< prod && version =~ "^10\.") BES10 = TRUE;
else audit(AUDIT_NOT_INST, "BlackBerry Enterprise Server 0.x through 5.x / Enterprise Service 10.x / Enterprise Server Express for Microsoft Exchange or IBM Lotus Domino");
get_kb_item_or_exit("SMB/Registry/Enumerated");
#
# Enterprise Service 10.x
#
if (BES10)
{
# Do not need to check files for BES10 (10.2.1 is the fix)
fixed_version = "10.2.1";
if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)
vuln_version = version;
}
#
# Enterprise Server 0.x < 5.0.4 MR 6 with Interim Fix
#
if (BES5)
{
if (
version =~ "^[0-4]\."
||
version =~ "^5\.0\.([0-3]|4 MR [0-5])($|[^0-9])"
||
version == "5.0.4 (Bundle 38)" # Special case; do not need to check file here
)
{
vuln_version = version;
fixed_version = "5.0.4 MR 6 with Interim Security Update for 11 FEB 2014";
}
else
{
# Will need to check files
check_bss_jar = TRUE;
check_jaxb_jar = TRUE;
fixed_pom_date_converted = "20140128095405";
fixed_pom_date_string = "Tue Jan 28 09:54:05 EST 2014";
fixed_version = "5.0.4 MR 6 with Interim Security Update for 11 FEB 2014";
}
}
#
# Enterprise Server Express 0.x < 5.0.4 with Interim Fix
#
if (BES_EXPRESS)
{
if (
version =~ "^[0-4]\."
||
version =~ "^5\.0\.[0-3]($|[^0-9])"
)
{
vuln_version = version;
fixed_version = "5.0.4 with Interim Security Update for 11 FEB 2014";
}
else
{
# Will need to check files
check_bss_jar = TRUE;
fixed_pom_date_converted = "20140129100745";
fixed_pom_date_string = "Wed Jan 29 10:07:45 EST 2014";
fixed_version = "5.0.4 with Interim Security Update for 11 FEB 2014";
}
}
extra_info = "";
# Need to check on actual file contents for
# interim fix because there aren't any good
# file version changes. This only needs to
# take place if the product version is at
# the highest patched level before the
# fix.
if (check_bss_jar || check_jaxb_jar)
{
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
# Try to connect to server.
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
share = ereg_replace(string:base_dir, pattern:"^([A-Za-z]):.*", replace:"\1$");
dir = ereg_replace(string:base_dir, pattern:"^[A-Za-z]:(.*)", replace:"\1");
NetUseDel(close:FALSE);
# Connect to the share software is installed on.
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL, share);
}
# Check basServerSystem.jar patch
if (check_bss_jar)
{
path = dir + "\BAS\lib\basServerSystem.jar";
pom_date = get_pom_date(path:path);
if (!isnull(pom_date))
{
if (pom_date['date_converted'] < fixed_pom_date_converted)
{
vuln_version = version;
extra_info +=
'\nBased on its creation date, ' +
base_dir + "\BAS\lib\basServerSystem.jar" +
', needs to be updated.' +
'\n' +
'\n Installed creation date : ' + pom_date['date_string'] +
'\n Fixed creation date : ' + fixed_pom_date_string +
'\n';
}
}
}
# Check jaxb-api.jar patch if needed
if (check_jaxb_jar)
{
path = dir + "\BBIM\classpath\endorsed\jaxb-api.jar";
jaxb_is_patched = jaxb_jar_patch_is_installed(path:path);
if (!jaxb_is_patched)
{
vuln_version = version;
if (strlen(extra_info)) extra_info += '\n';
extra_info +=
'\nBased on its file contents, ' +
base_dir + "\BBIM\classpath\endorsed\jaxb-api.jar" +
', needs to be updated.' +
'\n';
}
}
NetUseDel();
}
if (vuln_version)
{
port = kb_smb_transport();
if (report_verbosity > 0)
{
report =
'\n Prod : ' + prod +
'\n Path : ' + base_dir +
'\n Installed version : ' + vuln_version;
if (fixed_version) report +=
'\n Fixed version : ' + fixed_version;
if (extra_info) report += '\n' + extra_info;
report +=
'\nInstall Interim Security Interim Security Update for February 11, 2014' +
'\nto correct the issue.' +
'\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, prod, version, base_dir);
|