CVE-2019-17134
published 2019-10-08CVE-2019-17134: Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
2.30%
81.1th percentile
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | octavia | < octavia 4.0.0-6 (bookworm) | octavia 4.0.0-6 (bookworm) |
| opendev | octavia | >= 0.10.0 < 2.1.2 | 2.1.2 |
| opendev | octavia | >= 3.0.0 < 3.2.0 | 3.2.0 |
| opendev | octavia | >= 4.0.0 < 4.1.0 | 4.1.0 |
| openstack | octavia | >= 0 < 4.0.0-6 | 4.0.0-6 |
| openstack | octavia | >= 0 < 4.0.0-6 | 4.0.0-6 |
| openstack | octavia | >= 0 < 4.0.0-6 | 4.0.0-6 |
| openstack | octavia | >= 0 < 4.0.0-6 | 4.0.0-6 |
| openstack | octavia | >= 0.10.0 < 2.1.2 | 2.1.2 |
| openstack | octavia | >= 3.0.0 < 3.2.0 | 3.2.0 |
| openstack | octavia | >= 4.0.0 < 4.1.0 | 4.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP requests (no client certificate) to the Octavia amphora-agent on port 9443 from the management network — these should normally require mutual TLS but the misconfiguration allows plain requests through. ↗
- →The root cause is gunicorn's cert_reqs set to True (boolean) instead of ssl.CERT_REQUIRED; audit amphora agent configurations for this misconfiguration to identify vulnerable deployments. ↗
- →Affected versions are Octavia >=0.10.0, =3.0.0, =4.0.0, <4.1.0 — use version detection to identify unpatched amphora images in the environment. ↗
- →Scope exploitation attempts to the management network; lateral movement or reconnaissance from within that network segment targeting port 9443 without presenting a client certificate is a strong indicator of exploitation. ↗
- ·The vulnerability is a misconfiguration in gunicorn's TLS settings: cert_reqs is set to the boolean True instead of ssl.CERT_REQUIRED, meaning client certificates are NOT actually enforced despite appearing to be configured. ↗
- ·There is no workaround or mitigation available; the only fix is applying the vendor-supplied updates. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenStack Octavia Amphora-Agent not requiring Client-Certificate
ghsa·2022-05-24
CVE-2019-17134 [CRITICAL] CWE-287 OpenStack Octavia Amphora-Agent not requiring Client-Certificate
OpenStack Octavia Amphora-Agent not requiring Client-Certificate
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the `cmd/agent.py` gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
OSV
OpenStack Octavia Amphora-Agent not requiring Client-Certificate
osv·2022-05-24
CVE-2019-17134 [CRITICAL] OpenStack Octavia Amphora-Agent not requiring Client-Certificate
OpenStack Octavia Amphora-Agent not requiring Client-Certificate
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the `cmd/agent.py` gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
OSV
CVE-2019-17134: Amphora Images in OpenStack Octavia >=0
osv·2019-10-08·CVSS 9.1
CVE-2019-17134 [CRITICAL] CVE-2019-17134: Amphora Images in OpenStack Octavia >=0
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
Ubuntu
Octavia vulnerability
vendor_ubuntu·2019-10-10
CVE-2019-17134 Octavia vulnerability
Title: Octavia vulnerability
Summary: Octavia could allow unintended access to network services.
Daniel Preussker discovered that Octavia incorrectly handled client
certificate checking. A remote attacker on the management network could
possibly use this issue to perform configuration changes and obtain
sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openstack-octavia: amphora-agent not requiring client certificate
vendor_redhat·2019-10-08·CVSS 9.1
CVE-2019-17134 [CRITICAL] CWE-295 openstack-octavia: amphora-agent not requiring client certificate
openstack-octavia: amphora-agent not requiring client certificate
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
A certificate-validation error has been found in Octavia's amphora-agent, where an attacker with management-network access could bypass an amphora's client-certificate based authentication. Because the agent's HTTP server (gunicorn) had 'cert_reqs' set to 'True' instead of 'ssl.CERT_REQUIRED', information could be retrieved or configuration update
Debian
CVE-2019-17134: octavia - Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4....
vendor_debian·2019·CVSS 9.1
CVE-2019-17134 [CRITICAL] CVE-2019-17134: octavia - Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4....
Amphora Images in OpenStack Octavia >=0.10.0 =3.0.0 =4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
Scope: local
bookworm: resolved (fixed in 4.0.0-6)
bullseye: resolved (fixed in 4.0.0-6)
forky: resolved (fixed in 4.0.0-6)
sid: resolved (fixed in 4.0.0-6)
trixie: resolved (fixed in 4.0.0-6)
No detection rules found.
Exploit-DB
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
exploitdb·2020-01-29·CVSS 8.1
CVE-2018-8413 [HIGH] Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
---
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attacke
Exploit-DB
Roxy Fileman 1.4.5 - Directory Traversal
exploitdb·2019-12-16·CVSS 7.5
CVE-2019-19731 [HIGH] Roxy Fileman 1.4.5 - Directory Traversal
Roxy Fileman 1.4.5 - Directory Traversal
---
# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
# Author: Patrik Lantz
# Date: 2019-12-06
# Software: Roxy Fileman
# Version: 1.4.5
# Vendor Homepage: http://www.roxyfileman.com/
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
# CVE: CVE-2019-19731
Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134
(using custom account as application pool identity for the IIS worker process).
Description
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on
the IIS worker process privileges.
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be
Exploit-DB
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation
exploitdb·2019-07-12
CVE-2019-1019 Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation
Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation
---
VULNERABILITY DETAILS
It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the
sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues
mentioned below with a bug in Chromium to escape its sandbox.
## HTTP -> SMB NTLM reflection
This is a long known attack that was described, for example, in
https://bugs.chromium.org/p/project-zero/issues/detail?id=222. As far as I can tell, MS16-075 was
supposed to to fix it by blocking attempts to reflect NTLM authentication operating in the same
machine mode (not sure about the actual internal term for that). However, it's still possible to
reflect NTLM authentication that
Exploit-DB
mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
exploitdb·2019-02-18·CVSS 8.1
CVE-2019-6453 [HIGH] mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
mIRC
Affected versions
This PoC runs for mIRC <7.55.
You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).
References
Further explanation (including proof of concept code):
Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/
PoC:
https://github.com/proofofcalc/cve-2019-6453-poc
mIRC changelog:
https://www.mirc.com/whatsnew.txt
Authors
Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)
https://access.redhat.com/errata/RHSA-2019:3743https://access.redhat.com/errata/RHSA-2019:3788https://access.redhat.com/errata/RHSA-2020:0721https://review.opendev.org/686541https://review.opendev.org/686543https://review.opendev.org/686544https://review.opendev.org/686545https://review.opendev.org/686546https://review.opendev.org/686547https://security.openstack.org/ossa/OSSA-2019-005.htmlhttps://storyboard.openstack.org/#%21/story/2006660https://usn.ubuntu.com/4153-1/https://access.redhat.com/errata/RHSA-2019:3743https://access.redhat.com/errata/RHSA-2019:3788https://access.redhat.com/errata/RHSA-2020:0721https://review.opendev.org/686541https://review.opendev.org/686543https://review.opendev.org/686544https://review.opendev.org/686545https://review.opendev.org/686546https://review.opendev.org/686547https://security.openstack.org/ossa/OSSA-2019-005.htmlhttps://storyboard.openstack.org/#%21/story/2006660https://usn.ubuntu.com/4153-1/
2019-10-08
Published