Details of VAR-201111-0177

ID

VAR-201111-0177

CVE

CVE-2011-4498

TITLE

Zenprise Device Manager Cross-Site Request Forgery Vulnerability

Trust: 2.6

sources: CNVD: CNVD-2011-4963 // JVNDB: JVNDB-2011-003068 // CNNVD: CNNVD-201111-334 // CNNVD: CNNVD-201111-342

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the web console in Zenprise Device Manager 6.x through 6.1.8 allows remote attackers to hijack the authentication of administrators for requests that wipe mobile devices. Zenprise Inc. Zenprise Inc. Provided by Zenprise Device Manager Is software for managing mobile devices. An attacker could exploit the vulnerability to perform certain administrative actions and unauthorized access to the affected application. Other attacks are also possible. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Zenprise Device Manager Web Console Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA46937 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46937/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46937 RELEASE DATE: 2011-11-21 DISCUSS ADVISORY: http://secunia.com/advisories/46937/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46937/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46937 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Zenprise Device Manager, which can be exploited by malicious people to conduct cross-site request forgery attacks. The web console allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. execute commands on a device by tricking an administrative user into visiting a malicious web site. The vulnerability is reported in versions 6.0 through 6.1.8. SOLUTION: Apply patch Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: US-CERT credits Laurent Oudot, TEHTRI-Security. ORIGINAL ADVISORY: US-CERT (VU#584363): http://www.kb.cert.org/vuls/id/584363 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.24

sources: NVD: CVE-2011-4498 // CERT/CC: VU#584363 // JVNDB: JVNDB-2011-003068 // CNVD: CNVD-2011-4963 // BID: 50724 // PACKETSTORM: 107183

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2011-4963

AFFECTED PRODUCTS

vendor:	zenprise	model:	device manager	scope:	eq	version:	6.0	Trust: 1.6
vendor:	zenprise	model:	device manager	scope:	eq	version:	6.1.6	Trust: 1.6
vendor:	zenprise	model:	device manager	scope:	eq	version:	6.1.5	Trust: 1.6
vendor:	zenprise	model:	device manager	scope:	eq	version:	6.1.8	Trust: 1.6
vendor:	zenprise	model:	device manager	scope:	eq	version:	6.1.0	Trust: 1.6
vendor:	zenprise	model:	device manager	scope:	eq	version:	0	Trust: 0.9
vendor:	zenprise	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	zenprise	model:	device manager	scope:	-	version:	-	Trust: 0.8

sources: CERT/CC: VU#584363 // CNVD: CNVD-2011-4963 // BID: 50724 // JVNDB: JVNDB-2011-003068 // NVD: CVE-2011-4498 // CNNVD: CNNVD-201111-342

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2011-4498
value:	MEDIUM
Trust: 1.8
CARNEGIE MELLON:	VU#584363
value:	0.89
Trust: 0.8
CNNVD:	CNNVD-201111-342
value:	MEDIUM
Trust: 0.6

NVD:
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
NVD:	CVE-2011-4498
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

sources: CERT/CC: VU#584363 // JVNDB: JVNDB-2011-003068 // NVD: CVE-2011-4498 // CNNVD: CNNVD-201111-342

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2011-003068 // NVD: CVE-2011-4498

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201111-334 // CNNVD: CNNVD-201111-342

TYPE

cross-site request forgery

Trust: 1.2

sources: CNNVD: CNNVD-201111-334 // CNNVD: CNNVD-201111-342

CONFIGURATIONS

sources: NVD: CVE-2011-4498

PATCH

title:	Zenprise Device Manager	url:	http://www.zenprise.com/products/zenprise_device_manager/	Trust: 0.8
title:	Zenprise Customer Center (Registered Users Only)	url:	http://www.zenprise.com/services/customer-center/	Trust: 0.8
title:	Patch for Zenprise Device Manager cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchinfo/show/5960	Trust: 0.6

sources: CNVD: CNVD-2011-4963 // JVNDB: JVNDB-2011-003068

EXTERNAL IDS

db:	CERT/CC	id:	VU#584363	Trust: 3.6
db:	NVD	id:	CVE-2011-4498	Trust: 2.7
db:	BID	id:	50724	Trust: 1.5
db:	JVNDB	id:	JVNDB-2011-003068	Trust: 0.8
db:	CNVD	id:	CNVD-2011-4963	Trust: 0.6
db:	CNNVD	id:	CNNVD-201111-334	Trust: 0.6
db:	CNNVD	id:	CNNVD-201111-342	Trust: 0.6
db:	SECUNIA	id:	46937	Trust: 0.2
db:	PACKETSTORM	id:	107183	Trust: 0.1

sources: CERT/CC: VU#584363 // CNVD: CNVD-2011-4963 // BID: 50724 // JVNDB: JVNDB-2011-003068 // PACKETSTORM: 107183 // NVD: CVE-2011-4498 // CNNVD: CNNVD-201111-334 // CNNVD: CNNVD-201111-342

REFERENCES

url:	http://www.zenpriseportal.com/patches/zp_secpatch_618_9995.zip	Trust: 3.2
url:	http://www.kb.cert.org/vuls/id/584363	Trust: 2.8
url:	http://www.zenprise.com/products/zenprise_device_manager/	Trust: 1.1
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4498	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu584363/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4498	Trust: 0.8
url:	http://www.securityfocus.com/bid/50724/	Trust: 0.6
url:	http://www.securityfocus.com/bid/50724	Trust: 0.6
url:	http://secunia.com/advisories/46937/	Trust: 0.1
url:	http://secunia.com/company/jobs/	Trust: 0.1
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/advisories/46937/#comments	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=46937	Trust: 0.1

CREDITS

Laurent Oudot of TEHTRI-Security

Trust: 0.9

sources: BID: 50724 // CNNVD: CNNVD-201111-334

SOURCES

db:	CERT/CC	id:	VU#584363
db:	CNVD	id:	CNVD-2011-4963
db:	BID	id:	50724
db:	JVNDB	id:	JVNDB-2011-003068
db:	PACKETSTORM	id:	107183
db:	NVD	id:	CVE-2011-4498
db:	CNNVD	id:	CNNVD-201111-334
db:	CNNVD	id:	CNNVD-201111-342

LAST UPDATE DATE

2023-12-18T14:06:23.090000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#584363	date:	2012-08-03T00:00:00
db:	CNVD	id:	CNVD-2011-4963	date:	2011-11-21T00:00:00
db:	BID	id:	50724	date:	2011-11-22T18:25:00
db:	JVNDB	id:	JVNDB-2011-003068	date:	2011-11-28T00:00:00
db:	NVD	id:	CVE-2011-4498	date:	2011-11-21T11:55:04.697
db:	CNNVD	id:	CNNVD-201111-334	date:	2011-11-22T00:00:00
db:	CNNVD	id:	CNNVD-201111-342	date:	2011-11-22T00:00:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#584363	date:	2011-11-18T00:00:00
db:	CNVD	id:	CNVD-2011-4963	date:	2011-11-21T00:00:00
db:	BID	id:	50724	date:	2011-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2011-003068	date:	2011-11-28T00:00:00
db:	PACKETSTORM	id:	107183	date:	2011-11-21T04:35:30
db:	NVD	id:	CVE-2011-4498	date:	2011-11-21T11:55:04.697
db:	CNNVD	id:	CNNVD-201111-334	date:	1900-01-01T00:00:00
db:	CNNVD	id:	CNNVD-201111-342	date:	2011-11-22T00:00:00