Vulnerability CVE-2019-3800 - CERT Civis.Net

Vulnerability Name:

CVE-2019-3800 (CCN-164895)

Assigned:

2019-07-18

Published:

2019-07-18

Updated:

2019-10-09

Summary:

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-3800

Source: XF
Type: UNKNOWN
pivotal-cve20193800-info-disc(164895)

Source: CCN
Type: Pivotal Web site
CVE-2019-3800: CF CLI writes the client id and secret to config file

Source: CONFIRM
Type: Vendor Advisory
https://pivotal.io/security/cve-2019-3800

Source: CONFIRM
Type: Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2019-3800

Source: CCN
Type: IBM Security Bulletin 1358385 (Cloud CLI)
Vulnerability of Embedded CF CLI In IBM Cloud CLI

Vulnerable Configuration:

Configuration 1:

cpe:/a:pivotal:cloud_foundry_command_line_interface:*:*:*:*:*:*:*:* (Version < 6.45.0)

OR cpe:/a:pivotal:cloud_foundry_command_line_interface_release:*:*:*:*:*:*:*:* (Version < 1.16.0)

OR cpe:/a:pivotal:cloud_foundry_deployment:*:*:*:*:*:*:*:* (Version < 10.0.0)

OR cpe:/a:pivotal:cloud_foundry_deployment_concourse_tasks:*:*:*:*:*:*:*:* (Version < 9.3.0)

OR cpe:/a:pivotal:cloud_foundry_log_cache_release:*:*:*:*:*:*:*:* (Version < 2.3.1)

OR cpe:/a:pivotal:cloud_foundry_networking_release:*:*:*:*:*:*:*:* (Version < 2.23.0)

OR cpe:/a:pivotal:cloud_foundry_notifications:*:*:*:*:*:*:*:* (Version < 58)

OR cpe:/a:pivotal:cloud_foundry_routing_release:*:*:*:*:*:*:*:* (Version < 0.189.0)

OR cpe:/a:pivotal:cloud_foundry_smoke_test:*:*:*:*:*:*:*:* (Version < 40.0.113)

Configuration 2:

cpe:/a:pivotal:application_service:*:*:*:*:*:*:*:* (Version >= 2.3.0 and < 2.3.14)

OR cpe:/a:pivotal:application_service:*:*:*:*:*:*:*:* (Version >= 2.4.0 and < 2.4.10)

OR cpe:/a:pivotal:application_service:*:*:*:*:*:*:*:* (Version >= 2.5.0 and < 2.5.6)

OR cpe:/a:pivotal:cloud_foundry_autoscaling_release:*:*:*:*:*:*:*:* (Version < 219)

OR cpe:/a:pivotal:cloud_foundry_event_alerts:*:*:*:*:*:*:*:* (Version < 1.2.8)

OR cpe:/a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:* (Version >= 1.4.0 and < 1.4.7)

OR cpe:/a:pivotal:cloud_foundry_healthwatch:*:*:*:*:*:*:*:* (Version >= 1.5.0 and < 1.5.4)

OR cpe:/a:pivotal:credhub_service_broker_for_pcf:*:*:*:*:*:*:*:* (Version < 1.3.2)

OR cpe:/a:pivotal:metric_registrar_release:*:*:*:*:*:*:*:* (Version < 1.2)

OR cpe:/a:pivotal:on_demand_service_broker:*:*:*:*:*:*:*:* (Version < 0.29.0)

OR cpe:/a:pivotal:pivotal_cloud_foundry_service_broker:*:*:*:*:*:aws:*:* (Version < 1.4.13)

OR cpe:/a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* (Version >= 1.7.0 and < 1.7.5)

OR cpe:/a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* (Version >= 1.8.0 and < 1.8.4)

OR cpe:/a:pivotal:single_sign-on:*:*:*:*:*:cloud_foundry:*:* (Version >= 1.9.0 and < 1.9.1)

Configuration 3:

cpe:/a:anynines:elasticsearch:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:logme:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:mongodb:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:mysql:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:postgresql:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:rabbitmq:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:anynines:redis:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:apigee:edge_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 3.1.3)

OR cpe:/a:appdynamics:application_analytics:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 4.7.652)

OR cpe:/a:appdynamics:application_performance_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 4.6.64)

OR cpe:/a:appdynamics:platform_montioring:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 4.7.712)

OR cpe:/a:bluemedora:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 3.1.1)

OR cpe:/a:contrastsecurity:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.2.0)

OR cpe:/a:cyberark:conjur_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.1)

OR cpe:/a:datadoghq:application_monitoring:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.7.0)

OR cpe:/a:datastax:enterprise_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.0.2)

OR cpe:/a:dynatrace:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.4.2)

OR cpe:/a:forgerock:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.1.2)

OR cpe:/a:google:google_cloud_platform_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 4.2.3)

OR cpe:/a:ibm:websphere_liberty_:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 3.11.0)

OR cpe:/a:microsoft:azure_log_analytics_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.4.1)

OR cpe:/a:microsoft:azure_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.4.1)

OR cpe:/a:newrelic:dotnet_extension_buildpack:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.1)

OR cpe:/a:newrelic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.17)

OR cpe:/a:newrelic:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.12.64)

OR cpe:/a:pagerduty:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.2.4)

OR cpe:/a:riverbed:steelcentral_appinternals:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 10.21.1-bl516)

OR cpe:/a:samba:volume_service:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.1)

OR cpe:/a:signalsciences:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.0)

OR cpe:/a:snyk:service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.0.3)

OR cpe:/a:solace:pubsub+:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 2.3.2)

OR cpe:/a:splunk:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.1)

OR cpe:/a:sumologic:nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.0.1)

OR cpe:/a:synopsys:seeker_iast_service_broker:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.2.14)

OR cpe:/a:tibco:businessworks_buildpack:*:*:*:*:container:pivotal_cloud_foundry:*:* (Version < 2.4.4)

OR cpe:/a:wavefront:wavefront_by_vmware_nozzle:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.0.2)

OR cpe:/a:yugabyte:db_enterprise:*:*:*:*:*:pivotal_cloud_foundry:*:* (Version < 1.1.8)

Denotes that component is vulnerable