Vulnerabilities > CVE-2015-2120 - Remote Privilege Escalation vulnerability in HP Sitescope 11.13/11.24.391/11.30.521
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
PARTIAL Availability impact
COMPLETE Summary
Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family CGI abuses NASL id HP_SITESCOPE_HPSBGN03325.NASL description The HP SiteScope application running on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the last seen 2020-06-01 modified 2020-06-02 plugin id 84088 published 2015-06-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84088 title HP SiteScope Log Analysis Tool Remote Privilege Escalation (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84088); script_version("1.8"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2015-2120"); script_bugtraq_id(74801); script_xref(name:"HP", value:"emr_na-c04688784"); script_xref(name:"HP", value:"HPSBGN03325"); script_xref(name:"HP", value:"SSRT101902"); script_name(english:"HP SiteScope Log Analysis Tool Remote Privilege Escalation (uncredentialed check)"); script_summary(english:"Checks the version of HP SiteScope."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The HP SiteScope application running on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the 'users.config' file, allowing an attacker to escalate privileges from the user to administrator role."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-239/"); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04688784 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7dfdc15b"); script_set_attribute(attribute:"solution", value: "Apply the appropriate update according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2120"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:sitescope"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_sitescope_detect.nasl"); script_require_keys("installed_sw/sitescope"); script_require_ports("Services/www", 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); appname = "sitescope"; # Stops get_http_port from branching get_install_count(app_name:appname, exit_if_zero:TRUE); port = get_http_port(default:8080); install = get_single_install(app_name:appname,port:port,exit_if_unknown_ver:TRUE); version = install['version']; # Version level always at least Major.Minor.SP url = install['path' ]; url = build_url(port:port,qs:url); if ( (version =~ "^11\.1[0-2](\.|$)") || (version =~ "^11\.2[0-3](\.|$)$") || # 11.24/11.13/11.30 can be affected if they aren't patched (version == "11.30" && report_paranoia >= 2) || (version == "11.24" && report_paranoia >= 2) || (version == "11.13" && report_paranoia >= 2) ) { if (report_verbosity > 0) { fix = "11.13.4"; if(version =~ "^11\.2") fix = "11.24 IP5"; else if(version =~ "^11\.3") fix = "11.30 IP2"; report = '\n URL : ' + url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);
NASL family CGI abuses NASL id HP_SITESCOPE_HPSBGN03325_LOCAL.NASL description The HP SiteScope application installed on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the last seen 2020-06-01 modified 2020-06-02 plugin id 84089 published 2015-06-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84089 title HP SiteScope Log Analysis Tool Remote Privilege Escalation (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84089); script_version("1.7"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2015-2120"); script_bugtraq_id(74801); script_xref(name:"HP", value:"emr_na-c04688784"); script_xref(name:"HP", value:"HPSBGN03325"); script_xref(name:"HP", value:"SSRT101902"); script_name(english:"HP SiteScope Log Analysis Tool Remote Privilege Escalation (credentialed check)"); script_summary(english:"Checks the version of HP SiteScope."); script_set_attribute(attribute:"synopsis", value: "A web application installed on the remote host is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The HP SiteScope application installed on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the 'users.config' file, allowing an attacker to escalate privileges from the user to administrator role."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-239/"); # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04688784 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7dfdc15b"); script_set_attribute(attribute:"solution", value: "Apply the appropriate update according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2120"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:sitescope"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("hp_sitescope_installed.nbin"); script_require_keys("installed_sw/HP SiteScope"); script_require_ports("SMB/transport", 139, 445); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); appname = "HP SiteScope"; install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE); version = install['version']; build = install['Build']; path = install['path']; if(isnull(build)) audit(AUDIT_VER_NOT_GRANULAR, appname, version + " Build " + build); # extract numerical version string from build # examples: SIS11.13.4 # 416 build_num = NULL; item = eregmatch(pattern:"^[^\d.]*(\d[\d.]*)$", string:build); build_num = item[1]; if(isnull(build_num)) exit(1, "Unable to parse " + appname + " version build string : " + build); # if build number is not a version string, tack it onto version if("." >!< build_num) version += "." + build_num; if ( # no patches available for these (version =~ "^11\.1[0-2](\.|$)") || (version =~ "^11\.2[0-3](\.|$)") || # look for unpatched installs (version =~ "^11\.30(\.|$)" && ver_compare(ver:version, fix:'11.30.521.416', strict:FALSE)==-1) || (version =~ "^11\.13(\.|$)" && ver_compare(ver:build, fix:'11.13.4', strict:FALSE)==-1) || (version =~ "^11\.24(\.|#)" && ver_compare(ver:version, fix:'11.24.391.333', strict:FALSE)==-1)) { port = get_kb_item("SMB/transport"); if(isnull(port)) port = 445; if (report_verbosity > 0) { fix = "11.13.4"; if(version =~ "^11\.2") fix = "11.24 IP5"; else if(version =~ "^11\.3") fix = "11.30 IP2"; report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);