cbcvebase.
CVE-2013-6765
published 2014-05-19

CVE-2013-6765: OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.27%
93.6th percentile
OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c.

Affected

13 ranges
VendorProductVersion rangeFixed in
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager
openvasopenvas_manager

Detection & IOCsextracted from sources · hover to see the quote

porttcp/9390
  • Monitor for unauthenticated OMP XML requests (e.g., <get_version/>) on TCP/9390 that are immediately followed by privileged OMP commands (get_agents, get_configs, get_users, get_targets, etc.) without a preceding successful <authenticate> exchange — this indicates exploitation of the CLIENT_AUTHENTIC state confusion bug.
  • The vulnerable code path is in omp_xml_handle_end_element() in omp.c; look for OpenVAS Manager processes handling <get_version/> that transition session state to CLIENT_AUTHENTIC without authentication.
  • Alert on SSL/TLS connections to TCP/9390 (OpenVAS Manager default port) from non-localhost/public network interfaces issuing OMP commands without authentication, especially get_agents, get_configs, get_alerts, get_filters, get_lsc_credentials, get_notes, get_nvts, get_targets, get_users, get_schedules.
  • ·The authentication bypass is only exploitable when OpenVAS Manager is bound to a public/non-loopback network interface; restrict the service to localhost to reduce attack surface.
  • ·The bypass is incomplete — several OMP commands fail to execute properly even after successful authentication bypass, so not all ~70 OMP commands are weaponizable.
  • ·Fixed versions are OpenVAS Manager 3.0.7 and 4.0.4; versions 3.0 before 3.0.7 and 4.0 before 4.0.4 are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.