CERT/CC Vulnerability Note VU#924506

Overview

The Toshiba 4690 operating system, version 6 (Release 3) and possibly earlier versions, contains an information disclosure vulnerability.

Description

CWE-200: Information Exposure - CVE-2014-4876

The Toshiba 4690 operating system, version 6 (Release 3) and possibly earlier versions, contains an information disclosure vulnerability. Sending a special string to TCP port 54138 causes system environment variables and other information to be returned to an unauthenticated client. The vendor has stated that this disclosure occurs by design as part of the support capabilities of 4690 and that:

The data being returned contains information about the current state of the 4690 OS and can be used for problem determination. The information is generally the same as that available by local 4690 APIs or from RMA, the 4690 OS system management function. It doesn't contain sensitive (PCI) information.

Impact

A remote, unauthenticated attacker is able to view potentially sensitive system information.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.

Disable services

The vendor has suggested a workaround for users concerned about the information being exposed:

The user should disable the ADXSITCF logical name to the string -q. This will disable the services that connect with the network to provide this information, however it will also disable RMA system management data collection as well as prevent the use of ADXSITQL by support teams for gathering information without dumping the machine.

Vendor Information

924506

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Toshiba Commerce Solutions Affected

Notified: August 06, 2014 Updated: June 02, 2015

Statement Date: June 01, 2015

Status

Affected

Vendor Statement

Vulnerability ID: VU#301788 Vulnerability #2 Vulnerability Name: Toshiba 4690 Operating System – 4690 OS System Environmental Variables Accessible. Overview The vulnerability report stated that a string written to port 54138 "causes system environmental variables and other information to be returned to the attacker without authentication". This is by design and is part of the support capabilities of 4690. Description The data being returned contains information about the current state of the 4690 OS and can be used for problem determination. The information is generally the same as that available by local 4690 APIs or from RMA, the 4690 OS system management function. It doesn't contain sensitive (PCI) information. The fact that a string is used is a relic of a prior design of the tool that used the same port as the unix finger service. However at this point the string is used simply as a handshake. Impact Anyone on the same network could send this byte sequence receive the same data. The ADXSITQL can send additional commands to the machine to receive other data as well, such as directory listings or enhanced mode log files. File transfer of other files in either direction is not allowed. We don't consider directory listings and other environmental information to be sensitive data. There is no sensitive data places in these log files that can be collected via this mechanism. Solution The user should disable the ADXSITCF logical name to the string -q. This will disable the services that connect with the network to provide this information, however it will also disable RMA system management data collection as well as prevent the use of ADXSITQL by support teams for gathering information without dumping the machine. Please submit a support request to Toshiba Global Commerce Solutions if you have questions. Vendor Information VendorStatusDate NotifiedDate Updated Toshiba Global Commerce Solutions References · http://www.toshibacommerce.com.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.toshibacommerce.com

CVSS Metrics

Group	Score	Vector
Base	5	AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal	4.5	E:F/RL:W/RC:C
Environmental	3.4	CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to David Odell for reporting this vulnerability.

This document was written by Todd Lewellen and Joel Land.

Other Information

CVE IDs:	CVE-2014-4876
Date Public:	2015-06-08
Date First Published:	2015-06-08
Date Last Updated:	2015-06-08 13:54 UTC
Document Revision:	18

Software Engineering Institute

CERT Coordination Center

Toshiba 4690 OS contains an information disclosure vulnerability

Vulnerability Note VU#924506

Overview

Description

Impact

Solution

Vendor Information

Toshiba Commerce Solutions Affected

Status

Vendor Statement

Vendor Information

Vendor References

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC