TIBCO Managed File Transfer Vulnerabilities

============================================================

RAYTHEON FOREGROUND SECURITY, SECURITY ADVISORY

- Original release date: Oct 7, 2015

- Discovered by: Adam Willard (Sr. Software Security Engineer at Raytheon Foreground Security)

- Verified and Coordinated by: Jon Wohlberg (Penetration Tester at Raytheon Foreground Security)

- Severity: 4.0/10 (Base CVSS Score)

============================================================

 

I. VULNERABILITY

-------------------------

Tibco MFT is vulnerable to multiple Directory Traversal bugs. Due to the recommendation from the vendor for how java is to be installed, this allows an authenticated user to download files as root.

 

II. BACKGROUND

-------------------------

MFT is a Managed File Transfer product from Tibco

 

III. DESCRIPTION

-------------------------

Modifying specific parameters allows for files to be downloaded off of the server such as /etc/shadow. The vulnerability allows you do download any file that you are able to identify on the system.

 

An additional vulnerability limits the files that can be downloaded (unable to download /etc/shadow but can download /etc/passwd)

 

 

IV. PROOF OF CONCEPT

-------------------------

(This section has been removed per vendor request).

 

V. BUSINESS IMPACT

-------------------------

An attacker could obtain sensitive files from the server and exploit the system.

 

VI. SYSTEMS AFFECTED

-------------------------

The vulnerability discovered during the testing was Tibco MFT; however, additional details are available at:

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5711

 

VII. SOLUTION

-------------------------

Upgrade to the latest version of the software from Tibco for the affected products.

 

VIII. REFERENCES

-------------------------

http://www.tibco.com/assets/blt423f06fbac6ee0c6/2015-003-advisory.txt

http://www.foregroundsecurity.com

 

IX. CREDITS

-------------------------

This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jon Wohlberg (jwohlberg (at) foregroundsecurity (dot) com)

 

X. REVISION HISTORY

-------------------------

- Sept 29, 2015: Initial release.

 

XI. DISCLOSURE TIMELINE

-------------------------

July 28, 2015: Issue identified within a deployed application by Adam Willard.

July 28, 2015: Vulnerability reported by Adam Willard.

Sept 29, 2015: Security advisory released.

 

XII. LEGAL NOTICES

-------------------------

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use

or otherwise.