RAYTHEON FOREGROUND SECURITY, SECURITY ADVISORY
– Original release date: Oct 7, 2015
– Discovered by: Adam Willard (Sr. Software Security Engineer at Raytheon Foreground Security)
– Verified and Coordinated by: Jon Wohlberg (Penetration Tester at Raytheon Foreground Security)
– Severity: 4.0/10 (Base CVSS Score)
Tibco MFT is vulnerable to multiple Directory Traversal bugs. Due to the recommendation from the vendor for how java is to be installed, this allows an authenticated user to download files as root.
MFT is a Managed File Transfer product from Tibco
Modifying specific parameters allows for files to be downloaded off of the server such as /etc/shadow. The vulnerability allows you do download any file that you are able to identify on the system.
An additional vulnerability limits the files that can be downloaded (unable to download /etc/shadow but can download /etc/passwd)
IV. PROOF OF CONCEPT
(This section has been removed per vendor request).
V. BUSINESS IMPACT
An attacker could obtain sensitive files from the server and exploit the system.
VI. SYSTEMS AFFECTED
The vulnerability discovered during the testing was Tibco MFT; however, additional details are available at:
Upgrade to the latest version of the software from Tibco for the affected products.
This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jon Wohlberg (jwohlberg (at) foregroundsecurity (dot) com)
X. REVISION HISTORY
– Sept 29, 2015: Initial release.
XI. DISCLOSURE TIMELINE
July 28, 2015: Issue identified within a deployed application by Adam Willard.
July 28, 2015: Vulnerability reported by Adam Willard.
Sept 29, 2015: Security advisory released.
XII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use