Symantec LiveUpdate up to 2.3.2 lua/forcepasswd.do credentials management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.7 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Symantec LiveUpdate up to 2.3.2. This vulnerability affects unknown code of the file lua/forcepasswd.do. The manipulation results in credentials management. This vulnerability was named CVE-2014-1644. The attack needs to be approached within the local network. There is no available exploit. It is advisable to implement a patch to correct this issue.
Details
A vulnerability classified as critical has been found in Symantec LiveUpdate up to 2.3.2. Affected is an unknown part of the file lua/forcepasswd.do. The manipulation with an unknown input leads to a credentials management vulnerability. CWE is classifying the issue as CWE-255. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The forgotten-password feature in forcepasswd.do in the management GUI in Symantec LiveUpdate Administrator (LUA) 2.x before 2.3.2.110 allows remote attackers to reset arbitrary passwords by providing the e-mail address associated with a user account.
The weakness was presented 03/27/2014 by Stefan Viehböck with SEC Consult Vulnerability Lab as SYM14-005 as confirmed advisory (Website). The advisory is shared for download at symantec.com. The public release was coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2014-1644 since 01/23/2014. The attack needs to be done within the local network. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1552.
The vulnerability scanner Nessus provides a plugin with the ID 73275 (Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses.
Upgrading to version 2.3.2 eliminates this vulnerability. The upgrade is hosted for download at symantec.com. Applying a patch is able to eliminate this problem. The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13996.
The vulnerability is also documented in the databases at X-Force (92118), Tenable (73275), SecurityFocus (BID 66399†), Secunia (SA57659†) and SecurityTracker (ID 1029972†). See VDB-12709 for similar entry. Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Vendor: https://www.symantec.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.8VulDB Meta Temp Score: 7.7
VulDB Base Score: 8.8
VulDB Temp Score: 7.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Credentials managementCWE: CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 73275
Nessus Name: Symantec LiveUpdate Administrator < 2.3.2.110 Multiple Vulnerabilities (SYM14-005)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 801835
OpenVAS Name: Symantec LiveUpdate Administrator Multiple Vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: LiveUpdate 2.3.2
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
Fortigate IPS: 🔍
Timeline
01/23/2014 🔍03/27/2014 🔍
03/27/2014 🔍
03/27/2014 🔍
03/27/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/31/2014 🔍
03/31/2014 🔍
04/22/2014 🔍
06/16/2021 🔍
Sources
Vendor: symantec.comAdvisory: SYM14-005
Researcher: Stefan Viehböck
Organization: SEC Consult Vulnerability Lab
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-1644 (🔍)
GCVE (CVE): GCVE-0-2014-1644
GCVE (VulDB): GCVE-100-12708
IAVM: 🔍
X-Force: 92118 - Symantec LiveUpdate Administrator forcepasswd.do unauthorized access, High Risk
SecurityFocus: 66399 - Symantec LiveUpdate Administrator CVE-2014-1644 Unauthorized Access Vulnerability
Secunia: 57659 - Symantec LiveUpdate Administrator Security Bypass and SQL Injection Vulnerabilities, Less Critical
SecurityTracker: 1029972 - Symantec LiveUpdate Administrator Bugs Let Remote Users Reset Passwords to Arbitrary Values and Inject SQL Commands
Vulnerability Center: 44174 - Symantec LiveUpdate Administrator (LUA) Remote Security Bypass via Account Access Modification, High
See also: 🔍
Entry
Created: 03/28/2014 09:57Updated: 06/16/2021 09:36
Changes: 03/28/2014 09:57 (90), 08/09/2017 14:08 (8), 06/16/2021 09:36 (2)
Complete: 🔍
Cache ID: 216:CEB:103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.