CVE-2016-3728
published 2016-05-20CVE-2016-3728: Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to…
PriorityP352high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
2.84%
84.9th percentile
Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p492-9h7w-9x72: Eval injection vulnerability in tftp_api
ghsa_unreviewed·2022-05-14
CVE-2016-3728 [HIGH] CWE-284 GHSA-p492-9h7w-9x72: Eval injection vulnerability in tftp_api
Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/.
Red Hat
foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
vendor_redhat·2016-05-05·CVSS 8.8
CVE-2016-3728 [HIGH] CWE-20 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/.
It was found that the “variant” parameter in the TFTP API of Foreman was passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary code with the privileges of the Foreman user.
Package: foreman (OpenStack Foreman) - Under investigation
Package: foreman (Red Hat Ceph Storage 1.3) - Under investigation
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Under investigation
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
bugzilla·2016-05-05·CVSS 8.8
CVE-2016-3728 [HIGH] CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
It was reported that TFTP API module in Smart Proxy is vulnerable to remote code execution via "variant" parameter, which is used to instantiate an implementation class using eval() on the user supplemented input.
Service is usually restricted in a default Foreman installation by requiring client SSL certificates and enforcing access to a configured list of trusted hosts, but may also be configured openly. The TFTP module is enabled in default installation, but may be disabled. Affected versions are 0.2 and higher.
Upstream bug:
http://projects.theforeman.org/issues/14931
Discussion:
Acknowledgments:
Name: the Foreman project
Upstream: Lukas Zapletal (Red Hat)
---
This issue h
Bugzilla
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
bugzilla·2016-05-05·CVSS 8.8
CVE-2016-3728 [HIGH] CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
Upstream bug component is Capsule
Discussion:
Moving to POST since upstream bug http://projects.theforeman.org/issues/14931 has been closed
---
This will be fixed in 6.3. I am not expecting this to be pulled back into 6.2.z. I am closing this out.
Bugzilla
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
bugzilla·2016-05-05·CVSS 8.8
CVE-2016-3728 [HIGH] CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
Upstream bug component is Capsule
Discussion:
Moving to POST since upstream bug http://projects.theforeman.org/issues/14931 has been closed
---
Verified on Snap 12.
Attempting to access a non existent variant leads to 403 Forbidden with relevant message:
[root@sat-test-rhel7 foreman]# curl -g http://127.0.0.1:8000/tftp/ls/aa:bb:cc:dd:ee:ff -v
* About to connect() to 127.0.0.1 port 8000 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> GET /tftp/ls/aa:bb:cc:dd:ee:ff HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8000
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json;charset=utf-8
< Content-Length: 36
< X-Content-Type-Opt
http://projects.theforeman.org/issues/14931http://theforeman.org/security.html#2016-3728http://www.openwall.com/lists/oss-security/2016/05/19/2https://access.redhat.com/errata/RHBA-2016:1501https://github.com/theforeman/smart-proxy/commit/eef532aa668d656b9d61d9c6edf7c2505f3f43c7http://projects.theforeman.org/issues/14931http://theforeman.org/security.html#2016-3728http://www.openwall.com/lists/oss-security/2016/05/19/2https://access.redhat.com/errata/RHBA-2016:1501https://github.com/theforeman/smart-proxy/commit/eef532aa668d656b9d61d9c6edf7c2505f3f43c7
2016-05-20
Published