SUMMARY

The Content Analysis System (CAS) prior to v1.1.4.2 is vulnerable to a command injection attack on the commandline of the CAS administrative interface. The administrator can use command injection to gain additional privileges which could result in complete compromise of the appliance including installation of executable code.

AFFECTED PRODUCTS

All versions of Content Analysis System prior to version 1.1.4.2 are vulnerable.

Patches

ISSUES

CVE-2014-2565 (assignment pending)

The Content Analysis System (CAS) provides a commandline interface for administrative actions. This commandline interface can only be accessed by a CAS administrator. The commandline interface provides a limited set of functionality.

Some of the commandline interfaces are vulnerable to command injection attacks. Using the commandline interface, an administrator could use command injection to gain access to additional commands and to areas of the file system that are otherwise not permitted by CAS. The administrator may be able to gain root level access to the CAS appliance.

Gaining root level access could allow the attacker complete access to the entire appliance including the ability to create new users, install new executables, and read and modify data.

REFERENCES

OWASP description of command injection - https://www.owasp.org/index.php/Command_Injection

REVISION

2014-12-18 Marked as Final
2014-04-04 Changed URL for patch download to reflect the URL of BTO.
014-03-20 CVE ID number added, noted there is no workaround.
2014-03-19 Initial public release