Web application abuses : ManageEngine EventLog Analyzer Multiple Security Vulnerabilities

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.105083

Category: Web application abuses

Title: ManageEngine EventLog Analyzer Multiple Security Vulnerabilities

Summary: ManageEngine EventLog Analyzer is prone to an arbitrary file-upload;vulnerability and an unauthorized-access vulnerability.

Description: Summary:
ManageEngine EventLog Analyzer is prone to an arbitrary file-upload
vulnerability and an unauthorized-access vulnerability.

Vulnerability Insight:
1)Unauthenticated remote code execution
ME EventLog Analyzer contains a 'agentUpload' servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without authentication and are stored/decompressed in the 'data' subdirectory.

As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.

2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has
sufficient permissions to access certain parts of the application. A low
privileged user (for example guest) can therefore access critical sections of the web
interface, by directly calling the corresponding URLs. This can be used to access the
database browser of the application which gives the attacker full access to the database.

Vulnerability Impact:
Attackers can exploit these issues to execute arbitrary code and gain
unauthorized access to the critical sections of the application.

Affected Software/OS:
EventLog Analyzer 9.9 Build 9002 and prior are vulnerable.

Solution:
Ask the Vendor for an update. Workaround:

1) Unauthenticated remote code execution

If agents are not used to collect log information, access to the servlet can be disabled by commenting out the
following lines in the web.xml file (webapps/event/WEB-INF/web.xml) and restart the service.

agentUpload
com.adventnet.sa.agent.UploadHandlerServlet

agentUpload
/agentUpload

2) Authorization issues

No workaround, reduce the attack surface by disabling unused low privileged accounts like 'guest'.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-6037
BugTraq ID: 69482
http://www.securityfocus.com/bid/69482
http://www.exploit-db.com/exploits/34519
http://seclists.org/fulldisclosure/2014/Aug/86
http://seclists.org/fulldisclosure/2014/Sep/1
http://seclists.org/fulldisclosure/2014/Sep/19
http://seclists.org/fulldisclosure/2014/Sep/20
http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html
https://github.com/rapid7/metasploit-framework/pull/3732
https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt
http://osvdb.org/show/osvdb/110642

Copyright Copyright (C) 2014 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.105083
Category:	Web application abuses
Title:	ManageEngine EventLog Analyzer Multiple Security Vulnerabilities
Summary:	ManageEngine EventLog Analyzer is prone to an arbitrary file-upload;vulnerability and an unauthorized-access vulnerability.
Description:	Summary: ManageEngine EventLog Analyzer is prone to an arbitrary file-upload vulnerability and an unauthorized-access vulnerability. Vulnerability Insight: 1)Unauthenticated remote code execution ME EventLog Analyzer contains a 'agentUpload' servlet which is used by Agents to send log data as zip files to the central server. Files can be uploaded without authentication and are stored/decompressed in the 'data' subdirectory. As the decompress procedure is handling the file names in the ZIP file in a insecure way it is possible to store files in the web root of server. This can be used to upload/execute code with the rights of the application server. 2) Authorization issues The EventLog Analyzer web interface does not check if an authenticated has sufficient permissions to access certain parts of the application. A low privileged user (for example guest) can therefore access critical sections of the web interface, by directly calling the corresponding URLs. This can be used to access the database browser of the application which gives the attacker full access to the database. Vulnerability Impact: Attackers can exploit these issues to execute arbitrary code and gain unauthorized access to the critical sections of the application. Affected Software/OS: EventLog Analyzer 9.9 Build 9002 and prior are vulnerable. Solution: Ask the Vendor for an update. Workaround: 1) Unauthenticated remote code execution If agents are not used to collect log information, access to the servlet can be disabled by commenting out the following lines in the web.xml file (webapps/event/WEB-INF/web.xml) and restart the service. agentUpload com.adventnet.sa.agent.UploadHandlerServlet agentUpload /agentUpload 2) Authorization issues No workaround, reduce the attack surface by disabling unused low privileged accounts like 'guest'. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-6037 BugTraq ID: 69482 http://www.securityfocus.com/bid/69482 http://www.exploit-db.com/exploits/34519 http://seclists.org/fulldisclosure/2014/Aug/86 http://seclists.org/fulldisclosure/2014/Sep/1 http://seclists.org/fulldisclosure/2014/Sep/19 http://seclists.org/fulldisclosure/2014/Sep/20 http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html https://github.com/rapid7/metasploit-framework/pull/3732 https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt http://osvdb.org/show/osvdb/110642
Copyright	Copyright (C) 2014 Greenbone Networks GmbH