Multiple vulnerabilities in Revive Adserver



Published: 2019-05-06 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2019-5433
CVE-2019-5434
CWE ID CWE-601
CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Revive Adserver
Web applications / Other software

Vendor OpenX Source

Security Advisory

1) Open redirect

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-5433

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin account-switch.php URL that would eventually lead them to another (unsafe) domain, potentially used for stealing credentials or other phishing attacks. This vulnerability was addressed in version 4.2.0.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4

CPE External links

https://hackerone.com/reports/390663
https://www.revive-adserver.com/security/revive-sa-2019-001/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Deserialization of Untrusted Data

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-5434

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4

CPE External links

http://packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution.html
https://hackerone.com/reports/512076
https://hackerone.com/reports/542670
https://www.revive-adserver.com/security/revive-sa-2019-001/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###