USP Secure Entry Server up to 4.6.x cookie-check GET Request privileges management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.1 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, was found in USP Secure Entry Server up to 4.6.x. Affected is an unknown function of the file cookie-check. The manipulation with the input //www.example.com as part of GET Request results in privileges management.
This vulnerability was named CVE-2013-2764. In addition, an exploit is available.
You should upgrade the affected component.
Details
A vulnerability classified as critical has been found in USP Secure Entry Server up to 4.6.x. Affected is some unknown functionality of the file cookie-check. The manipulation with the input value //www.example.com leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability. The advisory summarizes:
The USP Secure Entry Server™ protects company networks and business transactions with internet access as a Web application firewall (WAF) and manages access to data and applications.
The bug was discovered 09/06/2012. The weakness was presented 12/18/2013 by Alexandre Herzog with Compass Security Network Computing (CSNC) as CSNC-2013-008 as confirmed mailinglist post (Bugtraq). The advisory is available at seclists.org. The public release was coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2013-2764 since 04/07/2013. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known. This vulnerability is assigned to T1068 by the MITRE ATT&CK project. The advisory points out:
The browser doesn't interpret a redirection to //www.hacking-lab.com as being http(s)://[victim]//www.hacking-lab.com, but in fact as a redirection to http(s)://www.hacking-lab.com. This behavior is RFC conform and is well implemented in most current browsers. The client gets therefore redirected to another website by the SES.
A public exploit has been developed by Alexandre Herzog in HTTP Request and been published immediately after the advisory. The exploit is shared for download at seclists.org. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 377 days. During that time the estimated underground price was around $5k-$25k. The code used by the exploit is:
GET //www.hacking-lab.com HTTP/1.1 Host: [victim] User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive
Upgrading to version 4.7.0 eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting HSP_AbsoluteRedirects = On. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at OSVDB (101159†). Further details are available at stackoverflow.com. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.7VulDB Meta Temp Score: 6.4
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Privileges managementCWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Alexandre Herzog
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Upgrade: Secure Entry Server 4.7.0
Config: HSP_AbsoluteRedirects = On
Timeline
09/06/2012 🔍09/10/2012 🔍
04/07/2013 🔍
09/18/2013 🔍
12/18/2013 🔍
12/18/2013 🔍
12/19/2013 🔍
06/04/2021 🔍
Sources
Advisory: CSNC-2013-008Researcher: Alexandre Herzog
Organization: Compass Security Network Computing (CSNC)
Status: Confirmed
Coordinated: 🔍
CVE: CVE-2013-2764 (🔍)
GCVE (CVE): GCVE-0-2013-2764
GCVE (VulDB): GCVE-100-11538
X-Force: 89853
SecurityFocus: 64422
OSVDB: 101159
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 12/19/2013 15:38Updated: 06/04/2021 13:23
Changes: 12/19/2013 15:38 (68), 08/11/2016 10:53 (2), 06/04/2021 13:17 (4), 06/04/2021 13:23 (18)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.