Ixia ATI Update 2019-05 (355204)

Defects Resolved

Ticket Info
DE10303 Every strike has a name attribute defined in its metadata section. Strikes having identical metadata names have been adjusted to bear unique name attributes.
DE10305 Fixed typo in login command packet of Strike D14-37301.
DE10334 When the destination port is changed on a GmailClassic Flow, all the connections simulated under that Flow will get updated with that port value and no additional empty connection will be created

New Strikes (14)

CVSS ID References Category Info
10.0 E19-0wae1 CVE-2019-7238
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
URL
Exploits This strike exploits a remote code execution on Nexus Repository Manager 3. This vulnerability is due to improper handling of the "value" parameter under HTTP parameter when a client sends http traffic to the server. A remote unauthenticated attacker can exploit this vulnerability by sending crafted http requests to the target server. Successful exploitation results in remote code execution.
10.0 E19-5or01 CVE-2018-19276
CVSS-10.0 (AV:N/AC:L/AU:N/C:C/I:C/A:C)
EXPLOITDB-46327
Exploits This strike exploits an insecure deserialization via XML payload in OpenMRS's Webservices API module. By exploiting the vulnerability, an unauthenticated attacker might be able to execute system commands in the context of the user running the webserver process.
9.3 E19-0pm31 BID-106097
CVE-2018-8587
CVSS-9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)
Exploits This strike exploits a buffer overflow vulnerability in Microsoft Outlook client. The vulnerability is due to insufficient validation of the countOfFormNameStringObjects field in an RWZ file. A remote attacker could exploit this vulnerability by enticing a user to import a maliciously crafted file. Successful exploitation could lead to arbitrary code execution in the context of the user.
7.6 E19-0mey3 CVE-2018-4442
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
GOOGLE-1699
Exploits This strike exploits a vulnerability in Apple Webkit. Specifically, an attacker can craft javascript that takes advantage of a vulnerability that exists in how the GetIndexedPropertyStorage can cause garbage collection via rope strings, which can lead to a use after free condition. This can cause a denial of service in the browser or potentially allow for remote code execution to occur.
7.5 E19-5n6m1 BID-106285
CVE-2018-17246
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a remote file inclusion vulnerability in Elasticsearch Kibana. The vulnerability is due to improper sanitization of the "apis" parameter. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve javascript files from the target server. The other file format can be found in a log file on the target server.
7.5 E19-5oj81 BID-106634
CVE-2018-18996
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
ZDI-19-066
Exploits This strike exploits a command injection vulnerability in LAquis SCADA. The NOME parameter in HTTP requests to relatorionome.lhtml is not sanatized for command injection characters. An attacker can send a specially crafted HTTP GET or POST request to achieve command execution on the target machine.
6.8 E19-0vlg1 BID-107106
CVE-2019-6340
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
URL
Exploits A remote code execution vulnerability exists in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. The vulnerability is due to the lack of data sanitization originating from non-form sources in the REST module. A remote attacker can exploit this vulnerability by sending a crafted HTTP packet to the target service. Successful exploitation could lead to arbitrary code execution or crash of the vulnerable application.
6.8 E19-5oj41 BID-106634
CVE-2018-18992
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
ZDI-19-061
Exploits This strike exploits a command injection vulnerability in LAquis SCADA. The PAGINA parameter in HTTP requests to acompanhamentotela.lhtml and the TITULO parameter in requests to relatorioindividual.lhtml are not sanatized for command injection characters. An attacker can send a specially crafted HTTP GET or POST request to achieve command execution on the target machine.
6.8 E19-5pi21 BID-106948
CVE-2018-20250
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits an input validation vulnerability found in WinRAR. The vulnerability is due to improper input validation while parsing specific header fields from an ACE archive. An attacker could exploit this vulnerability by crafting a special ACE file. A successful exploit could allow the attacker to execute arbitrary commands on the target system.
6.5 E19-0xlq1 BID-107088
CVE-2019-8942
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
EXPLOITDB-46511
URL
Exploits The strike exploits a local file inclusion vulnerability in WordPress platform, leveraged beforehand by a path traversal via the '_wp_attached_file' parameter. By supplying a '_wp_page_template' metadata parameter, the attacker determines the theme engine to include a malicious uploaded file. By exploiting this vulnerability an authenticated attacker gains remote code execution on the target host system.
6.5 E19-5pqk1 CVE-2018-20556
CVSS-6.5 (AV:N/AC:L/AU:S/C:P/I:P/A:P)
EXPLOITDB-46377
Exploits This strike exploits a sql injection vulnerability in WordPress Plugin Booking Calendar 8.4.3. The vulnerability is due to improper sanitization of the booking_id parameter. By successfully exploiting this vulnerability, an authenticated attacker could perform sql injection on the target server.
4.3 E19-0r6g2 BID-106867
CVE-2019-0616
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
URL
ZDI-19-191
Exploits This strike exploits a information disclosure vulnerability in the GDI (Graphics Device Interface) components of Microsoft Windows. The vulnerability is due to improper handling of EMF records in memory by the 'gdiplus.dll' library. The vulnerability can be exploited by crafting a malicious EMF file and enticing a user to download and open it. Successful exploitation may result in execution of arbitrary code with user privileges.
4.0 E19-0zvz1 BID-107089
CVE-2019-8943
CVSS-4.0 (AV:N/AC:L/AU:S/C:N/I:P/A:N)
EXPLOITDB-46511
URL
Exploits The strikes emulates a path traversal attack on WordPress CMS platform. The attack can be carried by a low privileged user by providing a '_wp_attached_file' parameter when editing media files, thus modifying post metadata. By leveraging this vulnerability with a local file inclusion exploit, an attacker may gain code execution on the host system.
4.0 E19-5pa81 CVE-2018-19968
CVSS-4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
Exploits This strike exploits a remote file inclusion vulnerability in phpMyAdmin. The vulnerability is due to an improper filter, and the ability to execute a SQL sentence. By successfully exploiting this vulnerability, a remote, authenticated attacker could retrieve arbitrary files from the target server.

Modified Strikes (4)

CVSS ID References Category Info
7.5 E18-0jyu1 CVE-2018-1270
CVSS-7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
BID-103696
URL
Exploits Removed the variant which exemplifies the RCE by starting a 'nc' listener on the remote vulnerable server, since that usually requires some privileges.
7.5 E18-8vo51 CVE-2018-1000533
CVSS-7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
EXPLOITDB-44993
URL
Exploits Fixed duplicate HTTP 'Connection: keep-alive' header.
5.0 D14-37301 CVE-2014-0255
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
BID-67280
Exploits Fixed typo in login command packet of Strike D14-37301.
5.0 E02-09101 CVE-2002-0325
CVSS-5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
BID-4179
URL
Exploits Strike E02-09101 was modified to add a forward slash to the URI.