CVE-2011-0018 in OpenVAS Managerinfo

Summary

by MITRE

The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/03/2024

The vulnerability described in CVE-2011-0018 represents a critical command injection flaw within the OpenVAS Manager authentication system, specifically affecting versions 1.0.x through 1.0.3 and 2.0.x through 2.0rc2. This issue resides in the manage_sql.c file within the Greenbone Security Assistant framework, where the email function fails to properly sanitize user input parameters. The vulnerability manifests when authenticated users submit maliciously crafted OMP requests containing specially formatted email addresses in either the To or From fields, enabling attackers to inject and execute arbitrary system commands on the target server.

The technical exploitation of this vulnerability follows a command injection pattern that aligns with CWE-77 and CWE-94, where untrusted data flows directly into system command execution contexts without proper input validation or sanitization. When the OpenVAS Manager processes these malformed email addresses, the application fails to properly escape or filter special characters that could be interpreted by the underlying operating system shell. This allows an authenticated attacker to leverage the email processing functionality as a conduit for arbitrary code execution, potentially gaining full control over the vulnerable system.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables remote authenticated attackers to execute arbitrary commands with the privileges of the OpenVAS Manager service account. This could result in complete system compromise, data exfiltration, or the establishment of persistent backdoors within network security infrastructure. The vulnerability affects organizations relying on OpenVAS for vulnerability management and security assessment, potentially compromising their entire security monitoring ecosystem. Attackers could leverage this flaw to escalate privileges, install malware, or use the compromised system as a launch point for further attacks within the network.

Mitigation strategies for CVE-2011-0018 should prioritize immediate patching of affected OpenVAS Manager versions to the latest stable releases that contain proper input sanitization. Organizations should implement network segmentation to limit access to the OpenVAS Manager service, restrict authentication to trusted users only, and monitor for suspicious email address patterns in OMP requests. Additionally, deploying web application firewalls and implementing proper input validation controls can help detect and prevent exploitation attempts. The vulnerability demonstrates the importance of following secure coding practices and adheres to ATT&CK technique T1059.001 for command and scripting interpreters, highlighting how authentication bypasses can lead to arbitrary code execution in security tools. Organizations should also consider implementing principle of least privilege for the OpenVAS Manager service account and regularly audit system access logs for unusual command execution patterns that may indicate exploitation attempts.

Reservation

12/07/2010

Disclosure

01/28/2011

Moderation

accepted

Entry

VDB-56245

CPE

ready

Exploit

Download

EPSS

0.09266

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!