Summary
The remote GSM Manager is prone to an authentication bypass.
Impact
Attackers can exploit these issues to gain unauthorized access to the affected application and perform certain actions.
Solution
Upgrade at least to Greenbone OS 2.2.0-20.
Temporary workaround: Disable public OMP.
Insight
A software bug in the server module 'OVS Manager' allowed to bypass the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled.
In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly.
Affected
Greenbone OS 2.2.0-1 upto 2.2.0-19 when public OMP is enabled.
Detection
If public OMP is enabled, try to bypass OMP authentication by sending a special crafted request.
If public OMP is not enabled, check the GOS version.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-6765 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe Flash Player Arbitrary Code Execution Vulnerability - 01 Feb14 (Mac OX S)
- Adobe AIR Multiple Vulnerabilities-01 Jun14 (Windows)
- Adobe Air Multiple Vulnerabilities - October 12 (Windows)
- Adobe Acrobat Multiple Unspecified Vulnerabilities-01 Sep13 (Windows)
- Adobe AIR Multiple Vulnerabilities-01 Jan15 (Windows)