From 4dd005f42e98fe6da1696dd6c65484d185a300d3 Mon Sep 17 00:00:00 2001 From: Harsh Mishra Date: Thu, 25 Jan 2024 18:02:01 +0530 Subject: [PATCH 1/3] Fix Encoding Type in Fireeye Importer Signed-off-by: Harsh Mishra --- vulnerabilities/importers/fireeye.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/importers/fireeye.py b/vulnerabilities/importers/fireeye.py index 814af7248..f39ff6c45 100644 --- a/vulnerabilities/importers/fireeye.py +++ b/vulnerabilities/importers/fireeye.py @@ -44,7 +44,7 @@ def advisory_data(self) -> Iterable[AdvisoryData]: if Path(file).stem == "README": continue try: - with open(file) as f: + with open(file, encoding="utf-8-sig") as f: yield parse_advisory_data(raw_data=f.read(), file=file, base_path=base_path) except UnicodeError: logger.error(f"Invalid file {file}") From 974cd843f5e3952249787740a88b8c066b332af7 Mon Sep 17 00:00:00 2001 From: Harsh Mishra Date: Thu, 25 Jan 2024 18:53:09 +0530 Subject: [PATCH 2/3] Add Test to Fireeye Importer This test checks for UTF-8-SIG encoding Signed-off-by: Harsh Mishra --- .../tests/test_data/fireeye/fireeye_test3.md | 31 +++++++++++++++++++ vulnerabilities/tests/test_fireeye.py | 8 +++++ 2 files changed, 39 insertions(+) create mode 100644 vulnerabilities/tests/test_data/fireeye/fireeye_test3.md diff --git a/vulnerabilities/tests/test_data/fireeye/fireeye_test3.md b/vulnerabilities/tests/test_data/fireeye/fireeye_test3.md new file mode 100644 index 000000000..b825b967b --- /dev/null +++ b/vulnerabilities/tests/test_data/fireeye/fireeye_test3.md @@ -0,0 +1,31 @@ +# MNDT-2023-0017 + +The IBM Personal Communications (PCOMM) application 13.0.0 and earlier caused a user's plaintext password to be written to the `C:\Temp\pcsnp_init.log` file when re-connection was made through a remote desktop protocol. + +## Common Weakness Enumeration +CWE-312: Cleartext Storage of Sensitive Information + +## Impact +High - An attacker with low-privilege access to a host with IBM PCOMM could recover the plaintext password of another user. + +## Exploitability +Low - Exploitability varies depending on the environment in which IBM PCOMM is installed. Mandiant identified this vulnerability when conducting independent security research for a client that used Citrix to connect to shared Windows Server instances. In certain environments where remote desktop is used to connect to shared hosts with IBM PCOMM installed, the exploitability is greatly increased. + +## CVE Reference +CVE-2016-0321 - scope expanded + +## Technical Details +While conducting independent security research, Mandiant identified a plaintext Active Directory password stored within the `C:\Temp\pcsnp_init.log` file. The affected host had IBM PCOMM version 13.0.0 installed and was used by multiple users who connected with Citrix. Upon a user connecting, disconnecting, and connecting again, the user's plaintext password was stored in the `C:\Temp\pcsnp_init.log` file. + +## Discovery Credits +- Adin Drabkin, Mandiant +- Matthew Rotlevi, Mandiant + +## Disclosure Timeline +- 2023-09-26 - Issue reported to the vendor. +- 2023-11-03 - The vendor updated the security bulletin for CVE-2016-0321 to include all known affected and fixed versions. + +## References +- [IBM Security Bulletin](https://www.ibm.com/support/pages/security-bulletin-ibm-personal-communications-could-allow-remote-user-obtain-sensitive-information-including-user-passwords-allowing-unauthorized-access-cve-2016-0321) +- [IBM Personal Communications](https://www.ibm.com/support/pages/ibm-personal-communications) +- [Mitre CVE-2016-0321](https://www.cve.org/CVERecord?id=CVE-2016-0321) diff --git a/vulnerabilities/tests/test_fireeye.py b/vulnerabilities/tests/test_fireeye.py index f6a5be74a..b1409145c 100644 --- a/vulnerabilities/tests/test_fireeye.py +++ b/vulnerabilities/tests/test_fireeye.py @@ -172,3 +172,11 @@ def test_parse_advisory_data_2(self): result = imported_data.to_dict() util_tests.check_results_against_json(result, expected_file) + + def test_md_list_to_dict_2(self): + expected_output = {'# MNDT-2023-0017\n': ['\n', "The IBM Personal Communications (PCOMM) application 13.0.0 and earlier caused a user's plaintext password to be written to the `C:\\Temp\\pcsnp_init.log` file when re-connection was made through a remote desktop protocol.\n", '\n'], '## Common Weakness Enumeration\n': ['CWE-312: Cleartext Storage of Sensitive Information\n', '\n'], '## Impact\n': ['High - An attacker with low-privilege access to a host with IBM PCOMM could recover the plaintext password of another user.\n', '\n'], '## Exploitability\n': ['Low - Exploitability varies depending on the environment in which IBM PCOMM is installed. Mandiant identified this vulnerability when conducting independent security research for a client that used Citrix to connect to shared Windows Server instances. In certain environments where remote desktop is used to connect to shared hosts with IBM PCOMM installed, the exploitability is greatly increased.\n', '\n'], '## CVE Reference\n': ['CVE-2016-0321 - scope expanded\n', '\n'], '## Technical Details\n': ["While conducting independent security research, Mandiant identified a plaintext Active Directory password stored within the `C:\\Temp\\pcsnp_init.log` file. The affected host had IBM PCOMM version 13.0.0 installed and was used by multiple users who connected with Citrix. Upon a user connecting, disconnecting, and connecting again, the user's plaintext password was stored in the `C:\\Temp\\pcsnp_init.log` file.\n", '\n'], '## Discovery Credits\n': ['- Adin Drabkin, Mandiant\n', '- Matthew Rotlevi, Mandiant\n', '\n'], '## Disclosure Timeline\n': ['- 2023-09-26 - Issue reported to the vendor.\n', '- 2023-11-03 - The vendor updated the security bulletin for CVE-2016-0321 to include all known affected and fixed versions.\n', '\n'], '## References\n': ['- [IBM Security Bulletin](https://www.ibm.com/support/pages/security-bulletin-ibm-personal-communications-could-allow-remote-user-obtain-sensitive-information-including-user-passwords-allowing-unauthorized-access-cve-2016-0321)\n', '- [IBM Personal Communications](https://www.ibm.com/support/pages/ibm-personal-communications)\n', '- [Mitre CVE-2016-0321](https://www.cve.org/CVERecord?id=CVE-2016-0321)\n']} + with open(os.path.join(TEST_DATA, "fireeye_test3.md"), encoding='utf-8-sig') as f: + md_list = f.readlines() + md_dict = md_list_to_dict(md_list) + assert md_dict == expected_output + From a3618563f36382b403110a2244521656e4f62a74 Mon Sep 17 00:00:00 2001 From: Harsh Mishra Date: Thu, 25 Jan 2024 18:55:35 +0530 Subject: [PATCH 3/3] Reformat test_fireeye.py Signed-off-by: Harsh Mishra --- vulnerabilities/tests/test_fireeye.py | 43 +++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/tests/test_fireeye.py b/vulnerabilities/tests/test_fireeye.py index b1409145c..15935728c 100644 --- a/vulnerabilities/tests/test_fireeye.py +++ b/vulnerabilities/tests/test_fireeye.py @@ -174,9 +174,46 @@ def test_parse_advisory_data_2(self): util_tests.check_results_against_json(result, expected_file) def test_md_list_to_dict_2(self): - expected_output = {'# MNDT-2023-0017\n': ['\n', "The IBM Personal Communications (PCOMM) application 13.0.0 and earlier caused a user's plaintext password to be written to the `C:\\Temp\\pcsnp_init.log` file when re-connection was made through a remote desktop protocol.\n", '\n'], '## Common Weakness Enumeration\n': ['CWE-312: Cleartext Storage of Sensitive Information\n', '\n'], '## Impact\n': ['High - An attacker with low-privilege access to a host with IBM PCOMM could recover the plaintext password of another user.\n', '\n'], '## Exploitability\n': ['Low - Exploitability varies depending on the environment in which IBM PCOMM is installed. Mandiant identified this vulnerability when conducting independent security research for a client that used Citrix to connect to shared Windows Server instances. In certain environments where remote desktop is used to connect to shared hosts with IBM PCOMM installed, the exploitability is greatly increased.\n', '\n'], '## CVE Reference\n': ['CVE-2016-0321 - scope expanded\n', '\n'], '## Technical Details\n': ["While conducting independent security research, Mandiant identified a plaintext Active Directory password stored within the `C:\\Temp\\pcsnp_init.log` file. The affected host had IBM PCOMM version 13.0.0 installed and was used by multiple users who connected with Citrix. Upon a user connecting, disconnecting, and connecting again, the user's plaintext password was stored in the `C:\\Temp\\pcsnp_init.log` file.\n", '\n'], '## Discovery Credits\n': ['- Adin Drabkin, Mandiant\n', '- Matthew Rotlevi, Mandiant\n', '\n'], '## Disclosure Timeline\n': ['- 2023-09-26 - Issue reported to the vendor.\n', '- 2023-11-03 - The vendor updated the security bulletin for CVE-2016-0321 to include all known affected and fixed versions.\n', '\n'], '## References\n': ['- [IBM Security Bulletin](https://www.ibm.com/support/pages/security-bulletin-ibm-personal-communications-could-allow-remote-user-obtain-sensitive-information-including-user-passwords-allowing-unauthorized-access-cve-2016-0321)\n', '- [IBM Personal Communications](https://www.ibm.com/support/pages/ibm-personal-communications)\n', '- [Mitre CVE-2016-0321](https://www.cve.org/CVERecord?id=CVE-2016-0321)\n']} - with open(os.path.join(TEST_DATA, "fireeye_test3.md"), encoding='utf-8-sig') as f: + expected_output = { + "# MNDT-2023-0017\n": [ + "\n", + "The IBM Personal Communications (PCOMM) application 13.0.0 and earlier caused a user's plaintext password to be written to the `C:\\Temp\\pcsnp_init.log` file when re-connection was made through a remote desktop protocol.\n", + "\n", + ], + "## Common Weakness Enumeration\n": [ + "CWE-312: Cleartext Storage of Sensitive Information\n", + "\n", + ], + "## Impact\n": [ + "High - An attacker with low-privilege access to a host with IBM PCOMM could recover the plaintext password of another user.\n", + "\n", + ], + "## Exploitability\n": [ + "Low - Exploitability varies depending on the environment in which IBM PCOMM is installed. Mandiant identified this vulnerability when conducting independent security research for a client that used Citrix to connect to shared Windows Server instances. In certain environments where remote desktop is used to connect to shared hosts with IBM PCOMM installed, the exploitability is greatly increased.\n", + "\n", + ], + "## CVE Reference\n": ["CVE-2016-0321 - scope expanded\n", "\n"], + "## Technical Details\n": [ + "While conducting independent security research, Mandiant identified a plaintext Active Directory password stored within the `C:\\Temp\\pcsnp_init.log` file. The affected host had IBM PCOMM version 13.0.0 installed and was used by multiple users who connected with Citrix. Upon a user connecting, disconnecting, and connecting again, the user's plaintext password was stored in the `C:\\Temp\\pcsnp_init.log` file.\n", + "\n", + ], + "## Discovery Credits\n": [ + "- Adin Drabkin, Mandiant\n", + "- Matthew Rotlevi, Mandiant\n", + "\n", + ], + "## Disclosure Timeline\n": [ + "- 2023-09-26 - Issue reported to the vendor.\n", + "- 2023-11-03 - The vendor updated the security bulletin for CVE-2016-0321 to include all known affected and fixed versions.\n", + "\n", + ], + "## References\n": [ + "- [IBM Security Bulletin](https://www.ibm.com/support/pages/security-bulletin-ibm-personal-communications-could-allow-remote-user-obtain-sensitive-information-including-user-passwords-allowing-unauthorized-access-cve-2016-0321)\n", + "- [IBM Personal Communications](https://www.ibm.com/support/pages/ibm-personal-communications)\n", + "- [Mitre CVE-2016-0321](https://www.cve.org/CVERecord?id=CVE-2016-0321)\n", + ], + } + with open(os.path.join(TEST_DATA, "fireeye_test3.md"), encoding="utf-8-sig") as f: md_list = f.readlines() md_dict = md_list_to_dict(md_list) assert md_dict == expected_output -