search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Novell ZENworks Asset Management 7.5 web console information disclosure vulnerability

Vulnerability Note VU#332412

Original Release Date: 2012-10-15 | Last Revised: 2012-11-01

Overview

The web console for Novell ZENworks Asset Management 7.5 contains an information disclosure vulnerability. This vulnerability allows a remote attacker to read any file with SYSTEM privileges and retrieve configuration parameters from ZENworks Asset Management.

Description

The Novell ZENworks Asset Management web console is provided as a Java web application named rtrlet. Two HandleMaintenanceCalls, GetFile_Password and GetConfigInfo_Password have hard-coded credentials. GetFile_Password allows access to any file on the filesystem and GetConfigInfo_Password allows access to ZENworks Asset Management configuration parameters along with the back-end system's credentials.

A full technical analysis of the vulnerability is available on Rapid7's blog post entitled "New 0day Exploit: Novell ZENworks CVE-2012-4933 Vulnerability" and Metasploit exploit modules are publicly available.

Impact

A remote unauthenticated attacker may read any file accessible with SYSTEM privileges and retrieve configuration parameters from ZENworks Asset Management.

Solution

Apply an Update

Novell has released a patch to address this vulnerability. Follow the below steps to apply the patch on a ZAM 7.5 Server.

    1. Stop the ZAM services from the service manager
    2. Take a backup of the existing rtrlet.war found in your ZAM 7.5's Tomcat directory.
    3. Delete the rtrlet directory under Tomcat5\webapps\
    4. Replace the rtrlet.war Tomcat5\webapps\ with the one distributed with this patch.
    5. Start the ZAM 7.5 services.

    If you cannot patch, please consider the following workarounds.

    Restrict Access

    Appropriate firewall rules should be put in place so only trusted users can access the web interface.

    Vendor Information

    332412
     
    Affected   Unknown   Unaffected

    Novell, Inc.

    Notified:  September 13, 2012 Updated:  October 15, 2012

    Status

      Affected

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.


    CVSS Metrics

    Group Score Vector
    Base 8.5 AV:N/AC:L/Au:N/C:C/I:P/A:N
    Temporal 8.1 E:H/RL:W/RC:C
    Environmental 6.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to Juan Vazquez for reporting this vulnerability.

    This document was written by Jared Allar.

    Other Information

    CVE IDs: CVE-2012-4933
    Date Public: 2012-10-15
    Date First Published: 2012-10-15
    Date Last Updated: 2012-11-01 16:58 UTC
    Document Revision: 20

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.