ID CVE-2016-2167
Summary The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
References
Vulnerable Configurations
  • Apache Software Foundation Subversion 1.9.0
    cpe:2.3:a:apache:subversion:1.9.0
  • Apache Software Foundation Subversion 1.9.2
    cpe:2.3:a:apache:subversion:1.9.2
  • Apache Software Foundation Subversion 1.9.1
    cpe:2.3:a:apache:subversion:1.9.1
  • Apache Software Foundation Subversion 1.9.3
    cpe:2.3:a:apache:subversion:1.9.3
  • Apache Software Foundation Subversion 1.8.15
    cpe:2.3:a:apache:subversion:1.8.15
CVSS
Base: 4.9 (as of 06-05-2016 - 13:51)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-448.NASL
    description CVE-2016-2167 svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string. CVE-2016-2168 Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value. This allows remote attackers to cause a denial of service. -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-09
    plugin id 90805
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90805
    title Debian DLA-448-1 : subversion security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201610-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2016-10-12
    plugin id 93992
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93992
    title GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3388-1.NASL
    description Joern Schneeweisz discovered that Subversion did not properly handle host names in 'svn+ssh://' URLs. A remote attacker could use this to construct a subversion repository that when accessed could run arbitrary code with the privileges of the user. (CVE-2017-9800) Daniel Shahaf and James McCoy discovered that Subversion did not properly verify realms when using Cyrus SASL authentication. A remote attacker could use this to possibly bypass intended access restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2167) Florian Weimer discovered that Subversion clients did not properly restrict XML entity expansion when accessing http(s):// URLs. A remote attacker could use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8734). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 102424
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102424
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : subversion vulnerabilities (USN-3388-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-20CC04AC50.NASL
    description - Update to 1.9.4 (#1331222) CVE-2016-2167 CVE-2016-2168 - Move tools in docs to tools subpackage (rhbz 1171757 1199761) - Disable make check to work around FTBFS Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 91059
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91059
    title Fedora 24 : subversion-1.9.4-1.fc24 (2016-20cc04ac50)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-570.NASL
    description This update for subversion fixes the following issues : - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed : - bsc#969159: subversion dependencies did not enforce matching password store - bsc#911620: svnserve could not be started via YaST Service manager This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 90982
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90982
    title openSUSE Security Update : subversion (openSUSE-2016-570)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C8174B630D3A11E6B06ED43D7EED0CE2.NASL
    description Subversion project reports : svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string. Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value. This allows remote attackers to cause a denial of service.
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90780
    published 2016-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90780
    title FreeBSD : subversion -- multiple vulnerabilities (c8174b63-0d3a-11e6-b06e-d43d7eed0ce2)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-121-01.NASL
    description New subversion packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90802
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90802
    title Slackware 14.0 / 14.1 / current : subversion (SSA:2016-121-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3561.NASL
    description Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-2167 Daniel Shahaf and James McCoy discovered that an implementation error in the authentication against the Cyrus SASL library would permit a remote user to specify a realm string which is a prefix of the expected realm string and potentially allowing a user to authenticate using the wrong realm. - CVE-2016-2168 Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service vulnerability in the mod_authz_svn module during COPY or MOVE authorization check. An authenticated remote attacker could take advantage of this flaw to cause a denial of service (Subversion server crash) via COPY or MOVE requests with specially crafted header.
    last seen 2018-09-01
    modified 2018-07-11
    plugin id 90808
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90808
    title Debian DSA-3561-1 : subversion - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-571.NASL
    description This update for subversion fixes the following issues : - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed : - mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (boo#977424)
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 90983
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90983
    title openSUSE Security Update : subversion (openSUSE-2016-571)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-710.NASL
    description The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. (CVE-2016-2167) The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. (CVE-2016-2168)
    last seen 2018-09-01
    modified 2018-04-18
    plugin id 91469
    published 2016-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91469
    title Amazon Linux AMI : mod_dav_svn (ALAS-2016-710)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-709.NASL
    description The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. (CVE-2016-2167) The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. (CVE-2016-2168)
    last seen 2018-09-01
    modified 2018-04-18
    plugin id 91468
    published 2016-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91468
    title Amazon Linux AMI : subversion (ALAS-2016-709)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2016-0013.NASL
    description An update of [ subversion, libtasn1, unzip, dhcp ] packages for PhotonOS has been released.
    last seen 2018-09-02
    modified 2018-08-17
    plugin id 111847
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111847
    title Photon OS 1.0: Dhcp / Libtasn1 / Subversion / Unzip PHSA-2016-0013
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-E024B3E02B.NASL
    description - Update to 1.9.4 (#1331222) CVE-2016-2167 CVE-2016-2168 - Move tools in docs to tools subpackage (rhbz 1171757 1199761) - Disable make check to work around FTBFS Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2016-10-18
    plugin id 92183
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92183
    title Fedora 23 : subversion (2016-e024b3e02b)
refmap via4
bid 89417
confirm http://subversion.apache.org/security/CVE-2016-2167-advisory.txt
debian DSA-3561
fedora FEDORA-2016-20cc04ac50
gentoo GLSA-201610-05
mlist
  • [subversion-announce] 20160428 [ANNOUNCE][SECURITY] Apache Subversion 1.8.16 released
  • [subversion-announce] 20160428 [ANNOUNCE][SECURITY] Apache Subversion 1.9.4 released
sectrack 1035706
slackware SSA:2016-121-01
suse
  • openSUSE-SU-2016:1263
  • openSUSE-SU-2016:1264
Last major update 30-11-2016 - 22:08
Published 05-05-2016 - 14:59
Last modified 30-06-2017 - 21:29
Back to Top