Vulnerabilities > CVE-2015-2120 - Remote Privilege Escalation vulnerability in HP Sitescope 11.13/11.24.391/11.30.521

047910
CVSS 8.7 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
PARTIAL
Availability impact
COMPLETE
network
low complexity
hp
nessus

Summary

Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567.

Vulnerable Configurations

Part Description Count
Application
Hp
3

Nessus

  • NASL familyCGI abuses
    NASL idHP_SITESCOPE_HPSBGN03325.NASL
    descriptionThe HP SiteScope application running on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the
    last seen2020-06-01
    modified2020-06-02
    plugin id84088
    published2015-06-10
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84088
    titleHP SiteScope Log Analysis Tool Remote Privilege Escalation (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84088);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id("CVE-2015-2120");
      script_bugtraq_id(74801);
      script_xref(name:"HP", value:"emr_na-c04688784");
      script_xref(name:"HP", value:"HPSBGN03325");
      script_xref(name:"HP", value:"SSRT101902");
    
      script_name(english:"HP SiteScope Log Analysis Tool Remote Privilege Escalation (uncredentialed check)");
      script_summary(english:"Checks the version of HP SiteScope.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by a
    privilege escalation vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The HP SiteScope application running on the remote host is affected by
    a privilege escalation vulnerability due to a failure to restrict the
    log path within the Log Analysis Tool. A remote, authenticated
    attacker can exploit this flaw to read the 'users.config' file, 
    allowing an attacker to escalate privileges from the user to
    administrator role.");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-239/");
      # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04688784
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7dfdc15b");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate update according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2120");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/10");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:sitescope");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("hp_sitescope_detect.nasl");
      script_require_keys("installed_sw/sitescope");
      script_require_ports("Services/www", 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    appname = "sitescope";
    # Stops get_http_port from branching
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    
    port    = get_http_port(default:8080);
    install = get_single_install(app_name:appname,port:port,exit_if_unknown_ver:TRUE);
    version = install['version']; # Version level always at least Major.Minor.SP
    url     = install['path'   ];
    url     = build_url(port:port,qs:url);
    
    if (
      (version =~ "^11\.1[0-2](\.|$)") ||
      (version =~ "^11\.2[0-3](\.|$)$") ||
      # 11.24/11.13/11.30 can be affected if they aren't patched
      (version == "11.30" && report_paranoia >= 2) ||
      (version == "11.24" && report_paranoia >= 2) ||
      (version == "11.13" && report_paranoia >= 2)
    )
    {
      if (report_verbosity > 0)
      {
        fix = "11.13.4";
        if(version =~ "^11\.2")
          fix = "11.24 IP5";
        else if(version =~ "^11\.3")
          fix = "11.30 IP2";
    
        report =
          '\n  URL               : ' + url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);
    
  • NASL familyCGI abuses
    NASL idHP_SITESCOPE_HPSBGN03325_LOCAL.NASL
    descriptionThe HP SiteScope application installed on the remote host is affected by a privilege escalation vulnerability due to a failure to restrict the log path within the Log Analysis Tool. A remote, authenticated attacker can exploit this flaw to read the
    last seen2020-06-01
    modified2020-06-02
    plugin id84089
    published2015-06-10
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84089
    titleHP SiteScope Log Analysis Tool Remote Privilege Escalation (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84089);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id("CVE-2015-2120");
      script_bugtraq_id(74801);
      script_xref(name:"HP", value:"emr_na-c04688784");
      script_xref(name:"HP", value:"HPSBGN03325");
      script_xref(name:"HP", value:"SSRT101902");
    
      script_name(english:"HP SiteScope Log Analysis Tool Remote Privilege Escalation (credentialed check)");
      script_summary(english:"Checks the version of HP SiteScope.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application installed on the remote host is affected by a
    privilege escalation vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The HP SiteScope application installed on the remote host is affected
    by a privilege escalation vulnerability due to a failure to restrict
    the log path within the Log Analysis Tool. A remote, authenticated
    attacker can exploit this flaw to read the 'users.config' file,
    allowing an attacker to escalate privileges from the user to
    administrator role.");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-239/");
      # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04688784
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7dfdc15b");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate update according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2120");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:sitescope");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("hp_sitescope_installed.nbin");
      script_require_keys("installed_sw/HP SiteScope");
      script_require_ports("SMB/transport", 139, 445);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    appname = "HP SiteScope";
    
    install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);
    version = install['version'];
    build   = install['Build'];
    
    path = install['path'];
    
    if(isnull(build)) audit(AUDIT_VER_NOT_GRANULAR, appname, version + " Build " + build);
    
    # extract numerical version string from build
    # examples: SIS11.13.4
    #           416
    build_num = NULL;
    item = eregmatch(pattern:"^[^\d.]*(\d[\d.]*)$", string:build);
    build_num = item[1];
    
    if(isnull(build_num))
      exit(1, "Unable to parse " + appname + " version build string : " + build);
    
    # if build number is not a version string, tack it onto version
    if("." >!< build_num) version += "." + build_num;
    
    if (
      # no patches available for these
      (version =~ "^11\.1[0-2](\.|$)") ||
      (version =~ "^11\.2[0-3](\.|$)") ||
      # look for unpatched installs
      (version =~ "^11\.30(\.|$)" && ver_compare(ver:version, fix:'11.30.521.416', strict:FALSE)==-1) ||
      (version =~ "^11\.13(\.|$)" && ver_compare(ver:build, fix:'11.13.4', strict:FALSE)==-1) ||
      (version =~ "^11\.24(\.|#)" && ver_compare(ver:version, fix:'11.24.391.333', strict:FALSE)==-1))
    {
      port = get_kb_item("SMB/transport");
      if(isnull(port)) port = 445;
    
      if (report_verbosity > 0)
      {
        fix = "11.13.4";
        if(version =~ "^11\.2")
          fix = "11.24 IP5";
        else if(version =~ "^11\.3")
          fix = "11.30 IP2";
    
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);