Authentication hijack in Pivotal Cloud Foundry Ops Manager

1) Authentication hijack

EUVDB-ID: #VU712

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6637

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote user hijack valid user's authentication on the target language.
The weakness exists due to cross-site request forgery and allows attacker to steal user's authentication data.
Successful exploitation of the vulnerability may result in using victim's authentication for approval/denial a scope via a profile or approval page authorization.

Mitigation

Update Pivotal Cloud Foundry (PCF) UAA 2.x to 2.7.4.7, 3.x to 3.3.0.5, and 3.4.x to 3.4.4.
Update Pivotal Cloud Foundry (PCF) UAA BOSH 11.5 and 12.x to 12.5.
Update Pivotal Cloud Foundry (PCF) Elastic Runtime 1.7.x to 1.7.21, and 1.8.x to 1.8.2.
Update Pivotal Cloud Foundry (PCF) Ops Manager 1.7.x to 1.7.13 and 1.8.x to 1.8.1.

Vulnerable software versions

Pivotal Cloud Foundry Ops Manager: 1.7.0 - 1.8.0

Pivotal Cloud Foundry Elastic Runtime: 1.7.1 - 1.8.1

Cloud Foundry UAA: 2.0 - 2.7

Bosh Release for the UAA: 11.5 - 12.4

External links

http://pivotal.io/security/cve-2016-6637

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.