Support Content Notification - Support Portal

SA94 : Malware Analysis Appliance Cross-site Scripting and Information Disclosure Vulnerabilities

Product/Component

Notification Id

1320

Last Updated

03 March 2020

Initial Publication Date

16 April 2015

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

CVSS v2: 5.8

WorkAround

Affected CVE

SUMMARY

The Malware Analysis Appliance (MAA) is vulnerable to cross-site scripting (XSS) and information disclosure vulnerabilities in search.php. An attacker can use these vulnerabilities to attack the client machine (via XSS), and to obtain MAA user names, sample names, and user generated data about the samples.

AFFECTED PRODUCTS

Malware Analysis Appliance (MAA)
CVE	Affected Version(s)	Remediation
All CVEs	4.2	Upgrade to 4.2.4.
All CVEs	4.1	Upgrade to later version with fixes.

Malware Analyzer G2 (MAG2)
CVE	Affected Version(s)	Remediation
All CVEs	3.5 and prior	Upgrade to later version of MAA with fixes.

ISSUES

CVE-2015-0937
Severity / CVSSv2	Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
References	SecurityFocus: BID 74060 / NVD: CVE-2015-0937
Impact	Cross-site scripting (XSS)
Description	Cross-site scripting vulnerabilities are present in search.php and other URLs. An attacker can use cross-site scripting to execute arbitrary javascript on the client machine as the user. The javascript could be used to send commands to MAA, or to install malware or keystroke loggers on the client machine.

CVE-2015-0938
Severity / CVSSv2	Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
References	SecurityFocus: BID 74060 / NVD: CVE-2015-0938
Impact	Information disclosure
Description	Information can be obtained by a non-authenticated user using search.php. An attacker could obtain the names of MAA users that have uploaded samples, the sample file names of any files that have been submitted to MAA, and user generated data about the samples that have been uploaded. An attacker cannot modify information or obtain full administrative access.

ACKNOWLEDGEMENTS

Thank you to the CERT Coordination Center for coordinating the vulnerability report and the subsequent release of a fix.

REFERENCES

VU#274244 - https://www.kb.cert.org/vuls/id/274244

REVISION

2015-07-01 A fix will not be provided in 4.1; marked as final.
2015-04-16 Initial public release