IBM Support

Security Bulletin: IBM Tealeaf CX Passive Capture Application is vulnerable to a remotely exploitable OS command injection and local file inclusion (CVE-2013-6719 and CVE-2013-6720)

Security Bulletin


Summary

IBM Tealeaf CX Passive Capture Application is vulnerable to a remotely exploitable OS command injection and local file inclusion. These vulnerabilities may be exploited to compromise the host system.

Vulnerability Details

Two areas of vulnerability are found in the IBM Tealeaf CX Passive Capture Application (PCA) web console (PHP) Builds 3611 and 3620:

  • RCE (Remote Code Execution)
  • LFI (Local File Inclusion)

    RCE vulnerability: A non-root level user can substitute the command-line parameter with a string of commands and run different commands. PHP code runs at the non-root user level.  This means there are very limited, non-critical operations that can be done.  

    PCA web console access is required to see the vulnerabilities.  If login authentication is enabled, someone needs to bypass the authentication to determine what the exploits are. The PCA web console is also not an externally exposed web application. It is primarily an IT management console that is only used by IT, and possibly the IBM Tealeaf Administrator managing their networks.

    LFI vulnerability: The LFI vulnerability allows for the ability to download files outside of files that are intended to be downloaded for customer support purposes (for example, log files).  Although you are able to change the parameters, you are not able to download any root level files. Therefore, this vulnerability is minimal.

    There are patches available for IBM Tealeaf CX Passive Capture Application Builds 3611 and 3620 to resolve these security vulnerabilities.

    CVEID: CVE-2013-6719
    Description: Remote OS command injection. 
    CVSS Base Score: 6.0
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89228 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) 

    CVEID:
     CVE-2013-6720
    Description: Local File Inclusion. 
    CVSS Base Score: 5.5
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89229 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N)

  • Affected Products and Versions

    IBM Tealeaf Customer Experience v8.0-v8.8

    Remediation/Fixes

    For versions before v8.7, IBM recommends upgrading to a later supported version of the product.

    Workarounds and Mitigations

    None.

    Get Notified about Future Security Bulletins

    References

    Complete CVSS v2 Guide
    On-line Calculator v2

    Related information

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    Acknowledgement

    The vulnerability was reported to IBM by Bryan Alexander of Coalfire Labs.

    Change History

    10 June 2016: Update Fix Central links
    03 February 2014 - Original publish date

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Document information

    More support for: Tealeaf Customer Experience

    Software version: Version Independent

    Operating system(s): Platform Independent

    Reference #: 1667630

    Modified date: 19 March 2014


    Translate this page: