LISTSERV Maestro 9.0-8 Remote Code Execution

2020.10.21
Credit: b0yd
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-917


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Document Title: =============== LISTSERV Maestro Remote Code Execution Vulnerability References (Source): ==================== https://www.securifera.com/advisories/sec-2020-0001/ https://www.lsoft.com/products/maestro.asp Release Date: ============= 2020-10-20 Product & Service Introduction: =============================== LISTSERV Maestro is an enterprise email marketing solution and allows you to easily engage your subscribers with targeted, intelligence-based opt-in campaigns. It offers easy tracking, reporting and list segmentation in a complete email marketing and analytics package. Vulnerability Information: ============================== Class: CWE-917 : Expression Language (EL) Injection Impact: Remote Code Execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2010-1870 Vulnerability Description: ============================== A unauthenticated remote code execution vulnerability was found in the LISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems from a known issue in struts, CVE-2010-1870, that allows for code execution via OGNL Injection. This vulnerability has been confirmed to be exploitable in both the Windows and Linux version of the software and has existed in the LISTSERV Maestro software since at least version 8.1-5. As a result, a specially crafted HTTP request can be constructed that executes code in the context of the web application. Exploitation of this vulnerability does not require authentication and can lead to root level privilege on any system running the LISTServ Maestro services. Vulnerability Disclosure Timeline: ================================== 2020-10-12: Contact Vendor and Request Security Contact Info From Support Team 2020-10-12: Report Vulnerability Information to Vendor 2020-10-12: Vendor Confirms Submission 2020-10-13: Vendor Releases Patch 2020-10-13: Securifera Confirms With Vendor that the Patch Mitigates CVE-2010-1870 but suggest upgrading vulnerable struts library 2020-10-15: Vendor Approves Public Disclosure Affected Product(s): ==================== LISTSERV Maestro 9.0-8 and prior Severity Level: =============== High Proof of Concept (PoC): ======================= A proof of concept will not be provided at this time. Solution - Fix & Patch: ======================= Temporary patch: https://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip Security Risk: ============== The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0) Credits & Authors: ================== Securifera, Inc - b0yd (@rwincey) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems. Domains: www.securifera.com Contact: contact [at] securifera [dot] com Social: twitter.com/securifera Copyright C 2020 | Securifera, Inc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top