Vulnerabilities > CVE-2019-3781 - Information Exposure vulnerability in Cloudfoundry Command Line Interface

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cloudfoundry
CWE-200
nessus

Summary

Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.

Vulnerable Configurations

Part Description Count
Application
Cloudfoundry
81

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1429.NASL
    descriptionThis update for cf-cli fixes the following issues : cf-cli was updated: to version 6.43.0 (bsc#1132242) Enhancements : - `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060 949) - Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156 064) - we
    last seen2020-06-01
    modified2020-06-02
    plugin id125328
    published2019-05-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125328
    titleopenSUSE Security Update : cf-cli (openSUSE-2019-1429)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-1429.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125328);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/15");
    
      script_cve_id("CVE-2019-3781");
    
      script_name(english:"openSUSE Security Update : cf-cli (openSUSE-2019-1429)");
      script_summary(english:"Check for the openSUSE-2019-1429 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for cf-cli fixes the following issues :
    
    cf-cli was updated: to version 6.43.0 (bsc#1132242)
    
    Enhancements :
    
      - `cf curl` supports a new `--fail` flag (primarily for
        scripting purposes) which returns exit code `22` for
        server errors
        [story](https://www.pivotaltracker.com/story/show/130060
        949)
    
      - Improves `cf delete-orphaned-routes` such that it uses a
        different endpoint, reducing the chance of a race
        condition when two users are simultaneously deleting
        orphaned routes and associating routes with applications
        [story](https://www.pivotaltracker.com/story/show/163156
        064)
    
      - we've improved the speed of cf services - it now hits a
        single endpoint instead of making individual API calls
    
    Security :
    
      - CVE-2019-3781: CF CLI does not sanitize user’s
        password in verbose/trace/debug.
    
      - Fixes issue with running cf login in verbose mode
        whereby passwords which contains regex were not
        completely redacted
    
      - Fixes issue whilst running commands in verbose mode
        refresh tokens were not completely redacted
    
    Other Bug Fixes :
    
      - Updates help text for cf curlstory
    
      - Now refresh tokens work properly whilst using cf curl
        with V3 CC API endpoints story
    
      - Fixes performance degradation for cf services story
    
      - cf delete-service requires that you are targeting a
        space story
    
      - cf enable-service access for a service in an org will
        succeed if you have already enabled access for that
        service in that org story
    
    cf-cli was updated to version 6.42.0 :
    
    Minor Enhancements :
    
      - updated `cf restage` help text and the first line in the
        command's output to indicate that using this command
        will cause app downtime
        [story](https://www.pivotaltracker.com/story/show/151841
        382)
    
      - updated the `cf bind-route-service` help text to clarify
        usage instructions
        [story](https://www.pivotaltracker.com/story/show/150111
        078)
    
      - improved an error message for `cf create-service-boker`
        to be more helpful when the CC API returns a `502` due
        to an invalid service broker catalog 
    
      - upgraded to Golang 1.11.4
        [story](https://www.pivotaltracker.com/story/show/162745
        359)
    
      - added a short name `ue` for `cf unset-env`
        [story](https://www.pivotaltracker.com/story/show/161632
        713)
    
      - updated `cf marketplace` command to include a new
        `broker` column to prepare for a upcoming
        services-related feature which will allow services to
        have the same name as long as they are associated with
        different service brokers
        [story](https://www.pivotaltracker.com/story/show/162699
        756)
    
    Bugs :
    
      - fix for `cf enable-service-access -p plan` whereby when
        we refactored the code in CLI `v6.41.0` it created
        service plan visibilities as part of a subsequent run of
        the command (the unrefactored code skipped creating the
        service plan visibilities); now the command will skip
        creating service plan visibilities as it did prior to
        the refactor
        [story](https://www.pivotaltracker.com/story/show/162747
        373)
    
      - updated the `cf rename-buildpack` help text which was
        missing reference to the `-s` stack flag
        [story](https://www.pivotaltracker.com/story/show/162428
        661)
    
      - updated help text for when users use `brew search
        cloudfoundry-cli`
        [story](https://www.pivotaltracker.com/story/show/161770
        940)
    
      - now when you run `cf service service-instance` for a
        route service, the route service url appears in the key
        value table
        [story](https://www.pivotaltracker.com/story/show/162498
        211)
    
    Update to version 6.41.0 :
    
    Enhancements :
    
      - updated `cf --help` to include the `delete` command
        [story](https://www.pivotaltracker.com/story/show/161556
        511)
    
    Update to version 6.40.1 :
    
    Bug Fixes :
    
      - Updates the minimum version for the buildpacks-stacks
        association feature. In [CLI
        v6.39.0](https://github.com/cloudfoundry/cli/releases/ta
        g/v6.39.0), when the feature was released, we
        incorrectly set the minimum to cc api version as`2.114`.
        The minimum cc api version is now correctly set to
        [`2.112`](https://github.com/cloudfoundry/capi-release/r
        eleases/tag/1.58.0).
        [story](https://www.pivotaltracker.com/story/show/161464
        797)
    
      - Fixes a bug with inspecting a service instance `cf
        service service-instance`, now the `documentation` url
        displays correctly for services which populate that
        field
        [story](https://www.pivotaltracker.com/story/show/161251
        875)
    
    Update to version 6.40.0 :
    
    Bug Fixes :
    
      - Fix bug where trailing slash on cf api would break
        listing commands for older CC APIs story. For older
        versions of CC API, if the API URL had a trailing slash,
        some requests would fail with an 'Unknown request'
        error. These requests are now handled properly.
    
    Update to version 6.39.0 :
    
    Enhancements :
    
      - for users on cc api 3.27, cf start is enhanced to
        display the new cf app v3 output. For users on cc api
        3.27 or lower, users will see the same v2 output. Note
        that if you use v3 commands to create and start your
        app, if you subsequently use cf stop and cf start, the
        routes property in cf app will not populate even though
        the route exists story
    
      - for users on cc api 3.27, cf restart is enhanced to
        display the new cf app v3 output. For users on cc api
        3.27 or lower, users will see the same v2 output. story
    
      - for users on cc api 3.27, cf restage is enhanced to
        display the new cf app v3 output. For users on cc api
        3.27 or lower, users will see the same v2 output. story
    
      - improved help text for -d domains for cf push to include
        examples of usage story
    
      - cf v3-scale displays additional app information story
    
      - if you've created an internal domain, and it is the
        first domain in cc, the CLI will now ignore the internal
        domain and instead choose the next non-internal domain
        when you push an app story
    
    Bug Fixes :
    
      - Fix for users on macOS attempting to brew install cf-cli
        the CF CLI using the unreleased master branch of
        Homebrew story
    
      - Fixes an issue whereby, due to a recent cc api change,
        when you execute cf push and watch the cf app command,
        the app display returned a 400 error story
    
      - Fixes a bug whereby if you logged in using client
        credentials, cf auth user pass --client credentials you
        were unable to create an org; now create-org will assign
        the role to the user id specified in your manifest story
    
      - fixes an issue introduced when we refactored cf start
        and as part of that work, we stopped blocking on the
        initial connection with the logging backend; now the CLI
        blocks until the NOAA connection is made, or the default
        dial timeout of five seconds is reached story
    
    update to version 6.38.0 :
    
    Enhancements :
    
      - v3-ssh process type now defaults to web story
    
      - Support added for setting tags for user provided service
        instances story
    
      - Now a warning appears if you attempt to use deprecated
        properties and variable substitution story
    
      - Updated usage so now you can rename the cf binary use it
        with every command story
    
      - cf events now displays the Diego cell_id and instance
        guid in crash events story
    
      - Includes cf service service-instance table display
        improvements wherein the service instance information is
        now grouped separately from the binding information
        story
    
      - cf service service-instance table display information
        for user provided services changed: status has been
        added to the table story
    
    Bug Fixes :
    
      - the CLI now properly handles escaped commas in the
        X-Cf-Warnings header
    
    Update to version 6.37.0 :
    
    Enhancements
    
      - The api/cloudcontroller/ccv2 package has been updated
        with more functions #1343
    
      - Now a warning appears if you are using a API version
        older than 2.69.0, which is no longer officially
        supported
    
      - Now the CLI reads the username and password from the
        environment variables #1358
    
    Bug Fixes :
    
      - Fixes bug whereby X-Cf-Warnings were not being unescaped
        when displayed to user #1361
    
      - When using CF_TRACE=1, passwords are now sanitized #1375
        and tracker
    
    Update to version 6.36.0 :
    
    Bug Fixes :
    
      - int64 support for cf/flags library, #1333
    
      - Debian package, #1336
    
      - Web action flag not working on CLI 0.6.5, #1337
    
      - When a cf push upload fails/Consul is down, a panic
        occurs, #1340 and #1351
    
    update to version 6.35.2 :
    
    Bug Fixes :
    
      - Providing a clearer services authorization warning
        message when a service has been disabled for the
        organization, fixing #1344
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1132242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/cloudfoundry/capi-release/releases/tag/1.58.0"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://github.com/cloudfoundry/cli/releases/tag/v6.39.0"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/130060949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/150111078"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/151841382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/161251875"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/161464797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/161556511"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/161632713"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/161770940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/162428661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/162498211"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/162699756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/162745359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/162747373"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.pivotaltracker.com/story/show/163156064"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cf-cli packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cf-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cf-cli-test");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"cf-cli-6.43.0-lp150.2.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"cf-cli-test-6.43.0-lp150.2.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cf-cli / cf-cli-test");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1220-2.NASL
    descriptionThis update for cf-cli fixes the following issues : cf-cli was updated: to version 6.43.0 (bsc#1132242) Enhancements : `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060949) Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156064) we
    last seen2020-06-01
    modified2020-06-02
    plugin id126525
    published2019-07-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126525
    titleSUSE SLED15 / SLES15 Security Update : cf-cli (SUSE-SU-2019:1220-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1220-1.NASL
    descriptionThis update for cf-cli fixes the following issues : cf-cli was updated: to version 6.43.0 (bsc#1132242) Enhancements : `cf curl` supports a new `--fail` flag (primarily for scripting purposes) which returns exit code `22` for server errors [story](https://www.pivotaltracker.com/story/show/130060949) Improves `cf delete-orphaned-routes` such that it uses a different endpoint, reducing the chance of a race condition when two users are simultaneously deleting orphaned routes and associating routes with applications [story](https://www.pivotaltracker.com/story/show/163156064) we
    last seen2020-06-01
    modified2020-06-02
    plugin id125214
    published2019-05-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125214
    titleSUSE SLED15 / SLES15 Security Update : cf-cli (SUSE-SU-2019:1220-1)