Details of VAR-201009-0013

ID

VAR-201009-0013

CVE

CVE-2010-0153

TITLE

IBM PNMSS Appliance LMI Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2010-002929

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5.0.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change settings or (2) conduct denial of service attacks. The Local Management Interface is a set of enhancements to the basic Frame Relay specification. When exploited by an attacker, the identified vulnerabilities could lead to compromising the security of the appliance, including unauthorized alteration of appliance's settings, DoS attacks, etc. Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) Mitigation Vendor recommends upgrading to PNMSS firmware 2.5.0.2 or later. Alternatively, please contact IBM for technical support. Disclosure Timeline 2009, November 07: Vulnerabilities discovered and documented 2009, November 08: Notification sent to IBM 2009, November 09: IBM acknowledges receiving the report 2010, March: IBM releases PNMSS Firmware 2.5.0.2 correcting the reported issues 2010, September 12: MVSA-10-006 advisory published. Credits Dr. Marian Ventuneac http://ventuneac.net

Trust: 1.8

sources: NVD: CVE-2010-0153 // JVNDB: JVNDB-2010-002929 // VULHUB: VHN-42758 // PACKETSTORM: 93798

AFFECTED PRODUCTS

vendor:	ibm	model:	proventia network mail security system virtual appliance	scope:	-	version:	-	Trust: 1.4
vendor:	ibm	model:	proventia network mail security system virtual appliance	scope:	eq	version:	1.6	Trust: 1.0
vendor:	ibm	model:	proventia network mail security system virtual appliance	scope:	eq	version:	2.5	Trust: 1.0
vendor:	ibm	model:	proventia network mail security system virtual appliance	scope:	eq	version:	*	Trust: 1.0
vendor:	ibm	model:	proventia network mail security system virtual appliance	scope:	lt	version:	2.5.0.2	Trust: 0.8

sources: JVNDB: JVNDB-2010-002929 // CNNVD: CNNVD-201009-113 // NVD: CVE-2010-0153

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-0153
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-0153
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201009-113
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-42758
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2010-0153
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-42758
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-42758 // JVNDB: JVNDB-2010-002929 // CNNVD: CNNVD-201009-113 // NVD: CVE-2010-0153

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-42758 // JVNDB: JVNDB-2010-002929 // NVD: CVE-2010-0153

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201009-113

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201009-113

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-002929

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-42758

PATCH

title:

Proventia Network Mail Security System

url:

http://www-935.ibm.com/services/us/en/it-services/proventia-network-mail-security-system.html

Trust: 0.8

sources: JVNDB: JVNDB-2010-002929

EXTERNAL IDS

db:	NVD	id:	CVE-2010-0153	Trust: 2.6
db:	JVNDB	id:	JVNDB-2010-002929	Trust: 0.8
db:	CNNVD	id:	CNNVD-201009-113	Trust: 0.7
db:	BUGTRAQ	id:	20100912 MVSA-10-006 / CVE-2010-0153 - IBM PROVENTIA NETWORK MAIL SECURITY SYSTEM - CROSS-SITE REQUEST FORGERY VULNERABILITIES	Trust: 0.6
db:	PACKETSTORM	id:	93798	Trust: 0.2
db:	VULHUB	id:	VHN-42758	Trust: 0.1

sources: VULHUB: VHN-42758 // JVNDB: JVNDB-2010-002929 // PACKETSTORM: 93798 // CNNVD: CNNVD-201009-113 // NVD: CVE-2010-0153

REFERENCES

url:	http://www.ventuneac.net/security-advisories/mvsa-10-006	Trust: 1.8
url:	http://www.securityfocus.com/archive/1/513627/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0153	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0153	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/513627/100/0/threaded	Trust: 0.6
url:	http://ventuneac.net	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2010-0153	Trust: 0.1

sources: VULHUB: VHN-42758 // JVNDB: JVNDB-2010-002929 // PACKETSTORM: 93798 // CNNVD: CNNVD-201009-113 // NVD: CVE-2010-0153

CREDITS

Dr. Marian Ventuneac

Trust: 0.1

sources: PACKETSTORM: 93798

SOURCES

db:	VULHUB	id:	VHN-42758
db:	JVNDB	id:	JVNDB-2010-002929
db:	PACKETSTORM	id:	93798
db:	CNNVD	id:	CNNVD-201009-113
db:	NVD	id:	CVE-2010-0153

LAST UPDATE DATE

2025-04-11T23:03:18.600000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-42758	date:	2018-10-10T00:00:00
db:	JVNDB	id:	JVNDB-2010-002929	date:	2012-03-27T00:00:00
db:	CNNVD	id:	CNNVD-201009-113	date:	2010-09-16T00:00:00
db:	NVD	id:	CVE-2010-0153	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-42758	date:	2010-09-14T00:00:00
db:	JVNDB	id:	JVNDB-2010-002929	date:	2012-03-27T00:00:00
db:	PACKETSTORM	id:	93798	date:	2010-09-14T01:00:51
db:	CNNVD	id:	CNNVD-201009-113	date:	2010-09-16T00:00:00
db:	NVD	id:	CVE-2010-0153	date:	2010-09-14T17:00:01.387