SB2021011103 - Multiple vulnerabilities in Gigamon GigaVUE-OS

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: CVE-2020-23249)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the affected software stores a Redis database password in plaintext. A remote administrator can send a specially crafted request to obtain Redis database credentials.

2) Arbitrary file upload (CVE-ID: CVE-2020-12252)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application allows unrestricted upload of dangerous files in filename parameter within the upload functionality. A remote authenticated attacker can upload a malicious file and execute it on the server.

3) Path traversal (CVE-ID: CVE-2020-12251)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to insufficient sanitization of user-supplied passed in the upload functionality. A remote authenticated attacker can send a specially crafted HTTP request containing directory traversal sequences and read contents of arbitrary files on the system.

4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-23250)

The vulnerability allows a local user to gain access to sensitive information on the target system.

The vulnerability exists due to the affected software uses a weak algorithm for a hash stored in internal database. A local administrator can obtain sensitive information.

Remediation

Install update from vendor's website.

References

• https://community.gigamon.com/gigamoncp/s/article/Field-Notice-Gigamon-addressing-multiple-vulnerabilities-in-GigaVUE-OS