Webwasher Denial of Service Vulnerability

2008.04.16
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-noinfo


Ogólna skala CVSS: 7.1/10
Znaczenie: 6.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Brak
Wpływ na dostępność: Pełny

Credit: The disclosure of this issue has been credited to National Australia Bank Security Assurance. Vulnerable: Secure Computing Webwasher 6.6.3 build 3102 and older versions running on CGLinux 4/5, RHEL 4, Debian 4, SLES10 Not vulnerable: Secure Computing Webwasher Builds 3150 and newer (all platforms) Webwasher (all versions) for Windows Webwasher (all versions) for Solaris Webwasher (all versions) for some Linux (RHEL 3, SLES8, SLES9, Debian 3) Webwasher 5.3 appliances (running CGLinux 3.x) DISCUSSION Due to a change in the behavior of newer Linux systems, we have become aware that a Denial of Service attack can be launched against Webwasher running on Linux based operating systems which will freeze the Webwasher service. If this happens, Webwasher becomes unable to handle any request until the Webwasher service is restarted. The attack can be initiated by an internal user sending a specially crafted URL to Webwasher. It could also be exploited by an external attacker by redirecting proxy users to the exploit URL. Who is affected? Users of all Webwasher appliances version 6.x (CGLinux 4 or 5): ?If not running current version of Webwasher software but build numbers prior to 3150 Users of Webwasher software versions ?If running on RedHat Enterprise Linux 4, Debian Linux 4 or Linux Suse Linue 10 ?And if not running current version of Webwasher software but build numbers prior to 3150 Who is not affected? ?All Webwasher installations on current versions ? build numbers 3150 or newer ?Webwasher Software customers on Windows, Solaris, Linux RedHat Enterprise 3, Linux Suse 8 and 9, Debian 3.1 and Webwasher appliances running with CGLinux 3.x are not affected. EXPLOIT A special handcrafted URL has to be sent to Webwasher on the affected Linux systems which will then freeze the application. National Australia Bank Security Assurance has provided an undisclosed proof of concept. SOLUTION The vendor has released Webwasher versions to address this: ?Webwasher 6.6.3 build 3150 ?Webwasher 5.3.0 build 3159 Both are available at: https://extranet.webwasher.com/download/csm/index.html Webwasher appliances can be upgraded automatically via the GUI


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top