search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Accellion File Transfer Appliance (FTA) contains multiple vulnerabilities

Vulnerability Note VU#505560

Original Release Date: 2016-04-29 | Last Revised: 2016-04-29

Overview

The Accellion File Transfer Appliance (FTA) contains multiple vulnerabilites that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Accellion File Transfer appliance contains multiple vulnerabilities in versions below FTA_9_12_40.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2016-2350
The Accellion File Transfer Appliance versions below contains three cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary HTML content (including script) within the following:

    • move_partition_frame.html
    • getimageajax.php
    • wmInfo.html

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-2351
The Accellion File Transfer Appliance contains a SQL injection vulnerability due to improper escaping of the parameter 𠆌lient_id’ in `/home/seos/courier/security_key2.api, allowing an attacker to inject arbitrary code in 𠆌lient_id,” and recover private data.

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')- CVE-2016-2352
The Accellion File Transfer Appliance is vulnerable to command injection due to unsafe handling of restricted users utilizing the YUM_CLIENT. This allows a restricted user to execute any command via root permission.

CWE-276: Incorrect Default Permissions - CVE-2016-2353
The Accellion File Transfer Appliance is vulnerable to local privilege escalation due to a misconfiguration. By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system and view sensitive data

Solution

Apply an update

Affected uses should update to version FTA_9_12_40 as soon as possible.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:ND
Environmental 4.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Orange Tsai for reporting these vulnerabilities

This document was written by Deana Shick.

Other Information

CVE IDs: CVE-2016-2350, CVE-2016-2351, CVE-2016-2352, CVE-2016-2353
Date Public: 2016-04-21
Date First Published: 2016-04-29
Date Last Updated: 2016-04-29 19:44 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.