Summary: | net-analyzer/metasploit: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED) (CVE-2017-5244) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nvd.nist.gov/vuln/detail/CVE-2017-5244 | ||
Whiteboard: | ~4 [ebuild] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 620308 |
Description
D'juan McDonald (domhnall)
2017-08-11 00:52:03 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Since this is now an security matter we are taking care of bug 620308 from here. Thanks, Gentoo Security Padawan ChrisADR Gentoo does not provide web ui and likely not affected by this vulnerability. Feel free to double check that. (In reply to Anton Bolshakov from comment #2) > Gentoo does not provide web ui and likely not affected by this vulnerability. > Feel free to double check that. Hi Anton, Besides the fact that Gentoo doesn't provide a web ui for Metasploit, the original report from Rapid7 says that the problem is that GET requests don't go through normal Rails anti-CSRF verification. There is more than one way to send a GET request to a service, like curl for example. Which means that this could possibly affect versions prior to 4.14.0 (Update 2017061301). We are just reporting the issue, but if the maintainer considers that this issue doesn't affect Gentoo in any way he can change the Status at any time. Thanks, Gentoo Security Padawan ChrisADR The vulnerable files are not ge(In reply to Christopher Díaz from comment #3) > There is more than one way to send a GET request to a service, like curl for > example. Which means that this could possibly affect versions prior to > 4.14.0 (Update 2017061301). My point is that vulnerable files are not installed and there are no "stop and stop_all (task) routes" as per report. So there is nothing to exploit (using curl or not). However, it is time to bump msf anyway. @maintainter(s): After version bump please notify security team if ready to stabilize. |