Vulnerability CVE-2013-2296 - CERT Civis.Net

Vulnerability Name:

CVE-2013-2296 (CCN-83625)

Assigned:

2013-04-16

Published:

2013-04-16

Updated:

2013-09-18

Summary:

Walrus in Eucalyptus before 3.2.2 does not verify authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus, and SetBucketVersioningStatus bucket operations, which allows remote authenticated users to bypass intended restrictions on (1) modifying the logging setting, (2) modifying the versioning setting, or (3) accessing activity logs via a request.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-2296

Source: CCN
Type: SA53103
Eucalyptus Security Bypass Security Issue and Denial of Service Vulnerability

Source: CCN
Type: ESA-10
Missing Authorization Vulnerability in Walrus

Source: CONFIRM
Type: Vendor Advisory
http://www.eucalyptus.com/resources/security/advisories/esa-10

Source: CCN
Type: BID-59269
Eucalyptus Walrus CVE-2013-2296 Security Bypass Vulnerability

Source: CONFIRM
Type: Vendor Advisory
https://eucalyptus.atlassian.net/browse/EUCA-3074

Source: XF
Type: UNKNOWN
eucalyptus-cve20132296-sec-bypass(83625)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-2296

Vulnerable Configuration:

Configuration 1:

cpe:/a:eucalyptus:eucalyptus:1.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.1:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.2:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.3:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.4:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.6:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:2.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:eucalyptus:eucalyptus:*:*:*:*:*:*:*:* (Version <= 3.2.1)

Configuration CCN 1:

cpe:/a:eucalyptus:eucalyptus:3.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20132296000	V	CVE-2013-2296 on Ubuntu 12.04 LTS (precise) - medium.	2013-09-17