CVE-2013-6765
published 2014-05-19CVE-2013-6765: OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.27%
93.6th percentile
OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated OMP XML requests (e.g., <get_version/>) on TCP/9390 that are immediately followed by privileged OMP commands (get_agents, get_configs, get_users, get_targets, etc.) without a preceding successful <authenticate> exchange — this indicates exploitation of the CLIENT_AUTHENTIC state confusion bug. ↗
- →The vulnerable code path is in omp_xml_handle_end_element() in omp.c; look for OpenVAS Manager processes handling <get_version/> that transition session state to CLIENT_AUTHENTIC without authentication. ↗
- →Alert on SSL/TLS connections to TCP/9390 (OpenVAS Manager default port) from non-localhost/public network interfaces issuing OMP commands without authentication, especially get_agents, get_configs, get_alerts, get_filters, get_lsc_credentials, get_notes, get_nvts, get_targets, get_users, get_schedules. ↗
- ·The authentication bypass is only exploitable when OpenVAS Manager is bound to a public/non-loopback network interface; restrict the service to localhost to reduce attack surface. ↗
- ·The bypass is incomplete — several OMP commands fail to execute properly even after successful authentication bypass, so not all ~70 OMP commands are weaponizable. ↗
- ·Fixed versions are OpenVAS Manager 3.0.7 and 4.0.4; versions 3.0 before 3.0.7 and 4.0 before 4.0.4 are vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2013-6765 openvas-manager: openvas manager: bypass OMP authentication procedure [fedora-all]
bugzilla·2013-11-11·CVSS 7.5
CVE-2013-6765 [HIGH] CVE-2013-6765 openvas-manager: openvas manager: bypass OMP authentication procedure [fedora-all]
CVE-2013-6765 openvas-manager: openvas manager: bypass OMP authentication procedure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please n
Bugzilla
CVE-2013-6765 openvas manager: bypass OMP authentication procedure
bugzilla·2013-11-11·CVSS 7.5
CVE-2013-6765 [HIGH] CVE-2013-6765 openvas manager: bypass OMP authentication procedure
CVE-2013-6765 openvas manager: bypass OMP authentication procedure
OpenVAS Manager was found to have a security flaw which allowed an attacker to bypass the OMP authentication procedure.
The attack vector was remotely available in case OpenVAS Manager was listening on a public network interface. In case of successful attack, the attacker gained partial rights to execute OMP commands. The bypass authentication was, however, incomplete and several OMP commands failed to execute properly.
The issue is said to be fixed in latest releases OpenVAS Manager 4.0.4 & OpenVAS Manager 3.0.7.
References:
http://seclists.org/oss-sec/2013/q4/255
http://lists.wald.intevation.org/pipermail/openvas-announce/2013-November/000157.html
Discussion:
Created openvas-manager tracking bugs for this issue:
Af
http://lists.wald.intevation.org/pipermail/openvas-announce/2013-November/000157.htmlhttp://www.openvas.org/OVSA20131108.htmlhttp://www.openwall.com/lists/oss-security/2013/11/10/2http://lists.wald.intevation.org/pipermail/openvas-announce/2013-November/000157.htmlhttp://www.openvas.org/OVSA20131108.htmlhttp://www.openwall.com/lists/oss-security/2013/11/10/2
2014-05-19
Published