search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Attachmate Verastream Host Integrator (VHI) allows arbitrary file upload and execution

Vulnerability Note VU#436214

Original Release Date: 2013-11-04 | Last Revised: 2013-11-19

Overview

The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.

Description

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-3626

The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:

    • 7.5 SP 1 HF 1
    • 7.5 SP 1
    • 7.5
    • 7.1 SP 2 HF 1 - 6
    • 7.1 SP 2
    • 7.1 SP 1
    • 7.1
    • 7.0
    • 6.6
    • 6.5
    • 6.0

Impact

An attacker may be able to gain complete control of the server on which the application is installed.

Solution

Apply a HotfixAttachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at: http://support.attachmate.com/techdocs/2700.html

Vendor Information

436214
 
Affected   Unknown   Unaffected

Attachmate

Notified:  October 02, 2013 Updated:  October 10, 2013

Status

  Affected

Vendor Statement

A hotfix is available at: http://support.attachmate.com/techdocs/2700.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.5 E:POC/RL:TF/RC:C
Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Arnold Geels of Attachmate for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3626
Date Public: 2013-11-04
Date First Published: 2013-11-04
Date Last Updated: 2013-11-19 22:40 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.