Vulnerability Note VU#505560

Accellion File Transfer Appliance (FTA) contains multiple vulnerabilities

Original Release date: 29 Apr 2016 | Last revised: 29 Apr 2016

Overview

The Accellion File Transfer Appliance (FTA) contains multiple vulnerabilites that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Accellion File Transfer appliance contains multiple vulnerabilities in versions below FTA_9_12_40.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-2350
The Accellion File Transfer Appliance versions below contains three cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary HTML content (including script) within the following:

  • move_partition_frame.html
  • getimageajax.php
  • wmInfo.html

    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-2351
    The Accellion File Transfer Appliance contains a SQL injection vulnerability due to improper escaping of the parameter ‘client_id’ in `/home/seos/courier/security_key2.api, allowing an attacker to inject arbitrary code in ‘client_id,” and recover private data.

    CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')- CVE-2016-2352
    The Accellion File Transfer Appliance is vulnerable to command injection due to unsafe handling of restricted users utilizing the YUM_CLIENT. This allows a restricted user to execute any command via root permission.

    CWE-276: Incorrect Default Permissions - CVE-2016-2353
    The Accellion File Transfer Appliance is vulnerable to local privilege escalation due to a misconfiguration. By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions.

  • Impact

    A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system and view sensitive data

    Solution

    Apply an update

    Affected uses should update to version FTA_9_12_40 as soon as possible.

    Vendor Information (Learn More)

    No information available. If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    Group Score Vector
    Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
    Temporal 5.9 E:POC/RL:OF/RC:ND
    Environmental 4.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to Orange Tsai for reporting these vulnerabilities

    This document was written by Deana Shick.

    Other Information

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.