Access bypass in Pivotal Cloud Foundry Elastic Runtime

1) Access bypass

EUVDB-ID: #VU713

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6636

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability alows a remote user to obtain implicit access tokens on the target system.
The weakness is caused by incorrect validation of redirect_uri during OAuth authorization flow. By using different request subdomain attackers can get implicit access tokens.
Successful exploitation of the vulnerability allows a malicious user to access implicit tolens on the vulnerable system.

Mitigation

Update Pivotal Cloud Foundry UAA 2.x to 2.7.4.7, 3.x to 3.3.0.5, and 3.4.x to 3.4.4;
Update Pivotal Cloud Foundry UAA BOSH 11.5 and 12.x to 12.5;
Update Pivotal Cloud Foundry Elastic Runtime 1.6.40, 1.7.x to 1.7.21, and 1.8.x to 1.8.1;
Update Pivotal Cloud Foundry Ops Manager 1.7.x to 1.7.13 and 1.8.x to 1.8.1.

Vulnerable software versions

Pivotal Cloud Foundry Elastic Runtime: 1.6.40 - 1.8.1

Cloud Foundry UAA: 2.0 - 3.4.4

Pivotal Cloud Foundry Ops Manager: 1.7.0 - 1.8.0

Bosh Release for the UAA: 11.5 - 12.4

External links

http://pivotal.io/security/cve-2016-6636

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.