OnApp – Password Reset Arbitrary File Disclosure (R911-0161)

Type: Arbitrary File Disclosure
Location: Local
Impact: High
Product: OnApp
Website: http://www.onapp.com
Vulnerable Version: All builds prior to fixed version below.
Fixed Version: 3.2.2-29
CVE: -
R911: 0161
Date: 2014-06-05
By: RACK911

Product Description:

OnApp software enables Infrastructure-as-a-Service for hosts, telcos and other service providers. With OnApp in your datacenter you can use commodity hardware to sell public & private cloud services, dedicated servers, Virtual Private Servers, CDN, DNS, storage and much more, through one fully automated control panel.

Vulnerability Description:

It is possible for a malicious user to view the contents of any file on the HyperVisor due to an arbitrary file disclosure vulnerability present within the (root) Password Reset functionality of OnApp.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that sensitive files on the HyperVisor can be accessed.

Vulnerable Version:

This vulnerability is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in OnApp 3.2.2-29: https://docs.onapp.com/display/RN/3.2.2-29+Update

Vendor Contact Timeline:

2014-05-28: Vendor contacted via email.
2014-05-28: Vendor confirms vulnerability.
2014-06-04: Vendor issues updates to all builds.
2014-06-05: RACK911 issues security advisory.