Use Prophaze EagleEye for Web/API Security
Overview :
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the __service__ user account. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-9553.

CVE-2020-8868

 

Quest Foglight Evolve CommandLineService Use of Hard-coded Credentials Remote Code Execution Vulnerability

ZDI-20-290
ZDI-CAN-9553

CVE ID CVE-2020-8868
CVSS SCORE 9.8, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED VENDORS Quest
AFFECTED PRODUCTS Foglight Evolve
VULNERABILITY DETAILS This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the __service__ user account. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.

ADDITIONAL DETAILS Quest has issued an update to correct this vulnerability. More details can be found at:
https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314
DISCLOSURE TIMELINE
  • 2019-12-13 – Vulnerability reported to vendor
  • 2020-03-12 – Coordinated public release of advisory
CREDIT rgod of 9sg

FMS 5.9.5 Hotfix HFIX-314 (315091)

Return

Was this article helpful?

       [Select Rating]

  • Title

    FMS 5.9.5 Hotfix HFIX-314
  • Description

    Quest Foglight CommandLineService Use of Hard-coded Credentials Remote Code Execution Vulnerability.
  • Cause

    Defect ID        Resolved Issue
    FGL-20406      Fixed issue regarding Foglight Remote Code Execution Vulnerability ZDI-CAN-9553
  • Resolution

    Resolution

    Download the hotfix file for Foglight here.

    Download the hotfix file for Foglight for Evolve here.

    Download the hotfix file for Foglight for Virtualization here.

    Download the hotfix file for Foglight for Database here.

    Download the hotfix file for Foglight for Storage here.

     

    Compatibility of this hotfix

    • Foglight Management Server                      5.9.2, 5.9.3, 5.9.4, 5.9.5 and 5.9.6       All platforms
    • Fogligh Evolve                                             9.0 and 9.1                                           All platforms
    • Foglight for Virtualization Enterprise         8.7.5, 8.8, 8.8.5, 8.9 and 8.9.1             All platforms
    • Foglight for Database                                  5.9.2, 5.9.3, 5.9.5                                All platforms
    • Foglight for Storage                                    4.5.5, 4.6, 4.6.5, 4.7 and 4.8                All platforms

    System requirements

    This hotfix can be applied to all platforms and systems that are supported from Foglight 5.9.2 to 5.9.6.

    Installing this hotfix

        1. Extract the hotfix script reset_internal_accounts_pwd.groovy from the hotfix archive
        2. For HA environment, stop all secondary nodes
        3. Run the script reset_internal_accounts_pwd.groovy using foglight adminitration acount:Option 1: Run the script from Foglight UI (User Interface)

      Navigate to Script Editor (Administration > Tooling > Script Console > Scripts tab):

      1.                Click the “Add” button
                     Paste in the script in the Script box and click Run. Note that it may take some time to complete.
      1. Option 2: Run the script from Foglight Command Line:
                     Make a remote connection to Foglight Management Server, then copy and and paste the script file into the %FMS_HOME\bin directory and type the following:

    Windows: %FMS_HOME\bin\fglcmd.bat -usr foglight -pwd -cmd script:run -f %FMS_HOME\reset_internal_accounts_pwd.groovy Linux: %FMS_HOME/bin/fglcmd.sh -usr foglight -pwd -cmd script:run -f %FMS_HOME/bin/reset_internal_accounts_pwd.groovy

    Check script output of success message:

    Password reset success for __report__
    Password reset success for __service__
    
    1. Restart FMS Server
    2. For HA environment, start all secondary nodes

    Verifying successful completion

    To determine if this hotfix is installed:

    You get success message from script output

    Removing this hotfix

    This hotfix cannot be uninstalled.