627502 – (CVE-2017-5244) net-analyzer/metasploit: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED) (CVE-2017-5244)

Bug 627502 (CVE-2017-5244) - net-analyzer/metasploit: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED) (CVE-2017-5244)

Summary: net-analyzer/metasploit: Lack of CSRF protection for stopping tasks in Metasp...

Status:	RESOLVED INVALID

Alias:	CVE-2017-5244

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	~4 [ebuild]
Keywords:

Depends on:
Blocks:	620308
	Show dependency tree

Reported:	2017-08-11 00:52 UTC by D'juan McDonald (domhnall)
Modified:	2017-09-01 23:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2017-08-11 00:52:03 UTC

From $URL:

Versions of Metasploit Pro, Express, and Community editions before 4.14.0 (Update 2017061301) are vulnerable to CVE-2017-5244, regardless of operating system.


Remediation
We strongly encourage Metasploit users to update their instances to the latest version (Metasploit 4.14.0 (Update 2017061301) or above). You can find detailed update steps here. Release notes and offline installers are available here.

Disclosure Timeline
Sat, May 27, 2017: Vulnerability reported to Rapid7 by Mohamed A. Baset
Tue, May 30, 2017: Vulnerability confirmed by Rapid7
Fri, June 9, 2017: Vulnerability fixed by Rapid7
Sun, June 11, 2017: Rapid7 assigned CVE-2017-5244 to this vulnerability
Wed, June 14, 2017: Rapid7 released patch; public disclosure
Wed, June 14, 2017: Rapid7 reported vulnerability to MITRE

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-11 02:55:58 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Since this is now an security matter we are taking care of bug 620308 from here.

Thanks,

Gentoo Security Padawan
ChrisADR

Comment 2 Anton Bolshakov 2017-08-11 03:28:40 UTC

Gentoo does not provide web ui and likely not affected by this vulnerability.
Feel free to double check that.

Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-11 03:49:11 UTC

(In reply to Anton Bolshakov from comment #2)
> Gentoo does not provide web ui and likely not affected by this vulnerability.
> Feel free to double check that.

Hi Anton,

Besides the fact that Gentoo doesn't provide a web ui for Metasploit, the original report from Rapid7 says that the problem is that GET requests don't go through normal Rails anti-CSRF verification. 

There is more than one way to send a GET request to a service, like curl for example. Which means that this could possibly affect versions prior to 4.14.0 (Update 2017061301).

We are just reporting the issue, but if the maintainer considers that this issue doesn't affect Gentoo in any way he can change the Status at any time.

Thanks,

Gentoo Security Padawan
ChrisADR

Comment 4 Anton Bolshakov 2017-08-13 00:04:39 UTC

The vulnerable files are not ge(In reply to Christopher Díaz from comment #3)

> There is more than one way to send a GET request to a service, like curl for
> example. Which means that this could possibly affect versions prior to
> 4.14.0 (Update 2017061301).

My point is that vulnerable files are not installed and there are no "stop and stop_all (task) routes" as per report. So there is nothing to exploit (using curl or not).

However, it is time to bump msf anyway.

Comment 5 D'juan McDonald (domhnall) 2017-08-20 23:28:38 UTC

@maintainter(s):

After version bump please notify security team if ready to stabilize.