CVE-2014-0644
published 2014-04-17CVE-2014-0644: EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity…
PriorityP267high7.8CVSS 2.0
AVNACLAuNCCINAN
EXPLOIT
EPSS
53.34%
98.9th percentile
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | cloud_tiering_appliance_software | — | — |
| redhat | ansible | >= 0 < 1.5.5 | 1.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /api/login containing XML external entity (XXE) declarations (DOCTYPE + ENTITY keywords) in the POST body, which is the attack vector for this CVE. ↗
- →Alert on POST /api/login requests with Content-Type: application/x-www-form-urlencoded that contain XML DOCTYPE declarations, as the exploit smuggles XXE payloads in this form-encoded body. ↗
- →Monitor for requests to /api/login referencing /UxFramework/UxFlashApplication.swf as the Referer, which is characteristic of exploitation attempts against EMC CTA. ↗
- →The Metasploit module auxiliary/gather/emc_cta_xxe can be used to reproduce and test for this vulnerability; presence of this module name in logs or IDS signatures is a strong indicator of exploitation attempts. ↗
- ·The exploit operates without authentication — no credentials are required, making pre-auth detection critical. Standard authenticated-session monitoring will miss this attack. ↗
- ·The vulnerability affects EMC Cloud Tiering Appliance versions 10 through SP1 only; detection rules should be scoped to those product versions to reduce false positives. ↗
- ·File reads are performed with root-level permissions, meaning any file on the filesystem (including /etc/shadow) is accessible — detection should not be limited to shadow file access patterns alone. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p2xc-mcp4-pvvr: EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external e
ghsa_unreviewed·2022-05-17
CVE-2014-0644 [HIGH] CWE-200 GHSA-p2xc-mcp4-pvvr: EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external e
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.
GHSA
Ansible sets unsafe permissions for sources.list
ghsa·2022-05-17
CVE-2014-4659 [MEDIUM] CWE-522 Ansible sets unsafe permissions for sources.list
Ansible sets unsafe permissions for sources.list
Ansible before 1.5.5 sets 0644 permissions for `sources.list`, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the `"deb http://user:pass@server:port/"` format.
Red Hat
open-vm-tools: vm-support's diagnostics archive created with world-readable permissions
vendor_redhat·2014-08-26·CVSS 4.7
CVE-2014-4200 [MEDIUM] CWE-377 open-vm-tools: vm-support's diagnostics archive created with world-readable permissions
open-vm-tools: vm-support's diagnostics archive created with world-readable permissions
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.
Package: open-vm-tools (CloudForms Management Engine 5) - Will not fix
Red Hat
ansible: information disclosure through incorrect file permission
vendor_redhat·2014-06-26·CVSS 5.5
CVE-2014-4659 [MEDIUM] CWE-732 ansible: information disclosure through incorrect file permission
ansible: information disclosure through incorrect file permission
Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.
A flaw was found in ansible. Improper permissions on the sources.list might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. The highest threat from this vulnerability is to data confidentiality.
Package: ansible (CloudForms Management Engine 5) - Not affected
Package: ansible (Red Hat Ansible Engine 2) - Not affected
Package: ansible (Red Hat Ansible Tower 3) - Not
No detection rules found.
Exploit-DB
EMC Cloud Tiering Appliance 10.0 - XML External Entity Arbitrary File Read (Metasploit)
exploitdb·2014-03-31
CVE-2014-0644 EMC Cloud Tiering Appliance 10.0 - XML External Entity Arbitrary File Read (Metasploit)
EMC Cloud Tiering Appliance 10.0 - XML External Entity Arbitrary File Read (Metasploit)
---
EMC Cloud Tiering Appliance v10.0 Unauthed XXE
The following authentication request is susceptible to an XXE attack:
POST /api/login HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC
Connection: keep-alive
Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
root
114,97,105,110
The following metasploit module will exploit this to read an arbitrary file from the f
Metasploit
EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read
metasploit
EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read
EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack that allows an attacker to read arbitrary files from the file system with the permissions of the root user.
http://archives.neohapsis.com/archives/bugtraq/2014-04/0094.htmlhttp://seclists.org/fulldisclosure/2014/Mar/426https://gist.github.com/brandonprry/9895721http://archives.neohapsis.com/archives/bugtraq/2014-04/0094.htmlhttp://seclists.org/fulldisclosure/2014/Mar/426https://gist.github.com/brandonprry/9895721
2014-04-17
Published