CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability

Document ID:7017240
Creation Date:09-Feb-2016
Modified Date:13-Jul-2016
- Micro Focus Products:
  ZENworks Configuration Management

Environment

Novell ZENworks Configuration Management 11.4
Novell ZENworks Configuration Management 11.3

Situation

This vulnerability allows remote attackers to exfiltrate arbitrary text files on vulnerable installations of Novell Zenworks. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ChangePassword RPC method. By providing a malformed query, an attacker can combine a system entity reference with an XPath injection vulnerability to exfiltrate arbitrary text files from the system.

This issue has been found and reported by 'cpnrodzc7' working with HP's Zero Day Initiative (ZDI-16-167, CVE-2015-5970):

http://www.zerodayinitiative.com/advisories/ZDI-16-167/

Resolution

MicroFocus has released a patch to address this vulnerability. The patches are for ZCM 11.4.x (11.4.1, 11.4.0) and 11.3.x, and they can be obtained from MicroFocus Support Patch Finder, or directly from the urls below:

ZCM 11.4.x: https://download.novell.com/Download?buildid=SOM6P0NdZ5U~

ZCM 11.3.x: https://download.novell.com/Download?buildid=vt0EO0DgaX8~

Note that ZCM 11.4.2 already includes this patch, so this is no longer an issue on this version (or higher).