Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
19 Mar 2014 Closed Medium CVSS v2: 6.5 SA78
The Content Analysis System (CAS) prior to v18.104.22.168 is vulnerable to a command injection attack on the commandline of the CAS administrative interface. The administrator can use command injection to gain additional privileges which could result in complete compromise of the appliance including installation of executable code.
All versions of Content Analysis System prior to version 22.214.171.124 are vulnerable.
CAS 1.1 – a fix is available in 126.96.36.199 and later.
Fixes are available to customers with a valid Blue Touch Online login.
CVE-2014-2565 (assignment pending)
The Content Analysis System (CAS) provides a commandline interface for administrative actions. This commandline interface can only be accessed by a CAS administrator. The commandline interface provides a limited set of functionality.
Some of the commandline interfaces are vulnerable to command injection attacks. Using the commandline interface, an administrator could use command injection to gain access to additional commands and to areas of the file system that are otherwise not permitted by CAS. The administrator may be able to gain root level access to the CAS appliance.
Gaining root level access could allow the attacker complete access to the entire appliance including the ability to create new users, install new executables, and read and modify data.