Results of a application pen-test - need to close holes

[Dan Miller]

Hi forum,

I hope you can help, and I am sorry in advance for the long post, but I am 
trying to get all this into one post, hoping that someone has gone through this 
exercise before.  So basically, we had an application pen-test before releasing 
our remedy platform to the public internet.  We got 7 things that we need to 
fix, some of them before we can go live, others that can wait a while.

Summary:

1.  Privilege Escalation
2.  Improper Error Handling
3.  No session time out
4.  Concurrent User Sessions
5.  Forced Browsing
6.  Autocomplete feature
7.  Banner Grabbing

Below I have described them a little more with description, recommendation, but 
also the problem I have in getting them implemented.  We are 18 months into our 
first ever Remedy journey, so security is something we have not really 
considered.

Can you please help?


1. Privilege Escalation
--

Description:
-
Privilege escalation in Remedy application allows a user to gain elevated 
access to resources that are meant a privileged user.  It was observed that in 
Remedy a user can view / read other user’s Service catalogue and preference 
details.  The privilege values should be checked from the database and not be 
stored in a client side cookie.
Vulnerable Urls:
 
https:///arsys/forms//SRS%3ACFGApplicationPreferences/Dialog+Console/?cacheid=aeabdc61&format=html
 https:// 
/arsys/forms//SRS%3AServiceRequestConsole/enduser/?cacheid=1bc6c61&format=html
 https:// /arsys/atrium/ServiceCatalog.swf 

this means the user can get more rights than they are entitled too. In this 
case a test user was able to see other users preferences, this may need to go 
back to BMC if T&T are unable to resolve as it may be an application fault. 
Recommended fix is to enable server side authentication and not client side 
which is currently in place.

Recommendation:
-
It is strongly recommended to check the privilege values from the database 
before granting access to secured recourses applications.

Problem:

How do I even start with this one….  Is there something I am not doing in terms 
of application lock down?  Is it something to do with object-list within 
mid-tier so URLs can be directly browsed to?


2. Improper Error Handling 
---
Description
---
If a web application encounters an error condition it may need to display an 
appropriate error message. Sometimes these messages can be detailed enough to 
give away crucial information about the application. This information may 
include database schema/table names, user names, platform specific information 
etc. Applications giving out detailed error messages run the risk of  exposing 
crucial information which can be used later to launch further attacks.

Our Remedy installation seems to have been configured in an insecure way. 
Whenever the application encounters any kind of error condition (such as failed 
execution of an
SQL query), an error message of failure SQL operation is sent back to the 
user’s browser.

Example typical error: 
   “The SQL database operation failed. : The data types text and varchar are 
incompatible in the equal to operator. (SQL Server 402) (ARERR 552)”

Recommendation:

In a live environment, application error messages should be kept as short as 
possible. Hence it is advisable that the error messages emanating from certain 
scripts be restricted. Only custom HTTP error messages should be displayed 
instead of the detailed ones.

Problem:

Again, not sure what to do here.  I have not enabled anything special as far as 
I can see.  I think we did set something to make the error appear in the bar 
rather than popping up, but other than that, can I disable error messages 
altogether for user-level remedy users?



3. No session time out 
Description:

this means the application session will never time out, in the case where a 
user was using a shared PC a session could be hi-jacked or stolen. 

Recommendation:

Session timeout should be enabled. For web facing system session timeout should 
be 20/30 minutes, to protect customers.  

Problem:

I am pretty sure this is a setting on a user by user basis.  Is there a way to 
globally push a new timeout setting to all of the currently configured users?  
There is a session timeout in mid-tier but I don’t think that actually logs 
people out of remedy…



4. Concurrent User Sessions
Description:

Concurrent login sessions allow multiple users to log into the application 
using a single user ID.  This makes it difficult for the web application to 
maintain traceability of user activity.  If concurrent sessions are allowed, 
there is a possibility that users may access the same account in parallel and a 
legitimate user might not be able to identify that his a

Task Templates & Task Group Templates

[Simon Ellis]

I have created a series of Task Group Templates and within them a series of 
Task Templates within our DEV environment.  I want to export the task templates 
and task group templates out of the application and into our Test/Staging & 
Prod environments.  I search for and export task templates and task group 
templates into seperate .arx files.  When i import them into our Test 
environment, the association between the task template and task group templates 
has gone.  Is there another form in which i need to export the data from so 
when i re import all the data into another environments the association is in 
tact and i don't need to re-associate the task templates within the relevant 
task group templates.

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Results of a application pen-test - need to close holes

[John Baker]

Dan,

Without wishing to repeat John's feedback, much of what was highlighted 
needs to be tackled by BMC. However, there are a few items that puzzled me.


3. No session time out

The Mid Tier runs on a Java web server with the standard servlet engine 
session timeout, so there is a timeout on sessions. It's set in the Mid 
Tier configuration and is not per user, but Mid Tier instance wide. I 
suspect it was set to a high value and hence the pen testers concluded 
it wasn't set.


6. Auto-complete feature

I wasn't aware that the username/password is being stored in a cookie. 
Did they tell you which one?



John
--
SSO Plugin for BMC ITSM, Dashboards, Analytics.
http://www.javasystemsolutions.com/jss/ssoplugin

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes

[Dan Miller]

hi John

are you going to be a WWRUG this year?

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: Remedy ITSM 7.6.04 SP4

[Simon Ellis]

Are there any release notes for SP4?

-Original Message-
From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of strauss
Sent: Saturday, 6 October 2012 7:57 a.m.
To: arslist@ARSLIST.ORG
Subject: Re: Remedy ITSM 7.6.04 SP4

I only put it on my sample data VM-based system; there weren't any installation 
issues other than Atrium and ITSM took a LONG time to run, but they are very 
minimal VMs.  It did not solve our problems with RKM search results not 
displaying in Safari, so we may or may not bother loading it further (ARS is on 
Sp3 but apps on Sp1 on our production system).  I am busy looking at 8.0 and 
several competing products, instead.

BTW, 8.0 solves the RKM results list problem in Safari, but the next step - 
opening the KB article from the link - fails in Safari (you get a mostly blank 
gray screen).  In other browsers, any graphics in the KB article load 
incompletely - at random - so they have issues with pulling all of the 
components of an article out of the db and displaying them together.

I still want to hear if anyone has successfully run any of the 8.0.00 Patch 1 
installers against an ITSM Suite 8.0 Preconfigured Stack install. The stack 
install, BTW, the first one I have ever tried, ran fine once we had met all of 
the myriad requirements for it.

Christopher Strauss, Ph.D.
Call Tracking Administration Manager
University of North Texas Computing & IT Center
http://itsm.unt.edu/

-Original Message-
From: Action Request System discussion list(ARSList) 
[mailto:arslist@ARSLIST.ORG] On Behalf Of Sanford, Claire
Sent: Friday, October 05, 2012 12:42 PM
To: arslist@ARSLIST.ORG
Subject: Remedy ITSM 7.6.04 SP4

Has anyone loaded it yet?  Does it fix anything specific for you?  Break 
anything?  Speed things up?  Slow them down?

We are about to look at it on our Dev server and wanted to know if anyone 
encountered any "gotchas"

Thank you!


ITSM 7.6.04 SP2
ARS 7.6.04 SP3
Oracle 11.2.0.3.0 - 64bit Production
Win 2008 Server

Claire Sanford
Information Systems Division
Memorial Hermann Healthcare System
claire.sanf...@memorialhermann.org 

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 
www.wwrug12.com ARSList: "Where the Answers Are"

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

WWRUG ADV: Demos of New Data Pump product releases for BMC Atrium CMDB

[Emily Melone]

Hi - I wanted to drop you a short note on new Seamless' New DATA PUMP

product releases for BMC Atrium CMDB.

1. Microsoft *SCCM 2012* to BMC Atrium CMDB
2. Active Directory (*AD*) to BMC Atrium CMDB
3. Symantec *Alteris* to BMC Atrium CMDB
4. HP *uCMDB to BMC Atrium CMDB* & vice versa
5. Nlyte to BMC Atrium CMDB
6. Seamless DATA PUMP based CMDB data normalization
7. HP Server Automation and HP Network Automation to Atrium CMDB
8. Customer data/ *Remedy foundation data loader* to BMC Remedy
Works with BMC SaaS models too!

*Compress TIME - Pre-mapped for endpoint pairs - configurable GUI,
Multithreaded, high-speed, 15-Minute time to value, encrypted data, SaaS
compatible

*Save LABOR - pre-packaged CMDB build services enable mature CMDB builds

*Remove CMDB defects - Seamless 24x7 support removes CMDB errors - null
values, broken links, unlinked model areas, troubleshooting of data
integration, performance, etc.

*VALUE - Synchronize service models across products and manufacturers;
load assets/relationships, normalize (any cmdb data) software inventory,
mine MDRs, capture Real/Time data center capacity information for
provisioning in Cloud Lifecycle Management using Remedy SRM/CMDB

*Licensing = capex or opex models/cloud or premise based

*100% compatible with Discovery tools - BMC ADDM, IBM TADDM, HP DDM, EMC
ADM

See you at WWRUG! Demo anytime!

Seamless Technologies
www.seamlessti.com/products.html
sa...@seamlessti.com


CONFIDENTIALITY NOTICE: This email communication is intended only for the 
personal and confidential use of the recipient(s) designated above and may 
contain information which is subject to Federal and/or State privacy laws. In 
the event that you are not the intended recipient or the agent of the intended 
recipient, you are hereby notified that any review, disclosure, or use of the 
information contained herein is strictly prohibited. Do not copy or use the 
information contained within this communication, or allow it to be read, copied 
or utilized in any manner by any other person(s). If you have received this 
communication in error, please notify the sender immediately, either by 
response e-mail or by phone, and permanently delete the original e-mail, any 
attachment(s), and copies.


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes

[Dave Shellman]

Dan,

Which John are you asking?

I know one that has replied on this thread is registered.  Another that replied 
is not, at least yet.

Dave
WWRUG12 Office Manager

On Oct 7, 2012, at 5:40 PM, "Dan Miller"  wrote:

> hi John
> 
> are you going to be a WWRUG this year?
> 
> ___
> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
> attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: Remedy ITSM 7.6.04 SP4

[Matt Reinfeldt]

Simon,

 

All the notes are online:
https://docs.bmc.com/docs/display/public/ars7604/Home 

 

Enjoy!

 

-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Simon Ellis
Sent: Sunday, October 07, 2012 4:41 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy ITSM 7.6.04 SP4

 

Are there any release notes for SP4?


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes

[John Sundberg]

Dan,

I will be at WWRUG - I hope you are too.

To me - this is one of the great things of WWRUG - to share real life
stories...

Dan - if you are going - please find me -- we can chat about experiences -
and then you can help guide your company/team towards the solution that is
right for them.


-John



On Sun, Oct 7, 2012 at 4:40 PM, Dan Miller  wrote:

> hi John
>
> are you going to be a WWRUG this year?
>
>
> ___
> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
> attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
>



-- 

*John Sundberg*
Kinetic Data, Inc.
"Your Business. Your Process."
*WWRUG10 Best Customer Service/Support Award*
*WWRUG09 Innovator of the Year Award*
*
*
651-556-0930 I john.sundb...@kineticdata.com
 www.kineticdata.com I community.kineticdata.com

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: Task Templates & Task Group Templates

[patchsk]

You have not mentioned which version of remedy you are using.
In the recent versions(7.5 and above) there is a Data Management Tool 
provided with spreadsheet templates.
You need to export your existing templates into a spreadsheet and then copy 
them into BMC spreadsheet template.
Then you can use the Data Management Tool shipped out of the box to import 
those into another server.
See here for more information:
https://communities.bmc.com/communities/docs/DOC-8797
Using DMT tool is better because it does several validations for errors 
before you can even import.



___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"

Re: Results of a application pen-test - need to close holes

[patchsk]

Without knowing fully your actually purpose of giving remedy access to 
public internet, if remedy cannot provide all the security features that 
your company needs for public internet then can't you have an in house 
developed webapplication with only the subset of  features that public 
internet users need and then integrate with remedy from the back end?
And for internal company usage I do not think you need all the security 
restrictions that you need for public internet.
Apart from above the following are my 2 cents on your bullets.

2. Improper Error Handling 

I know we cannot handle each and every error in the manner we want without 
the vendor(BMC) support. 
But if you are running any specific scripts or programs from remedy 
workflow and 
you want to handle those errors you can do that from remedy version 7.x and 
above.
They  introduced an error handler event type  where you can specify another 
piece of workflow to fire on error which can be your custom message instead 
of remedy message.


3. No session time out.
There are timeouts specified at the midtier level and at the remedy 
arserver level.
You may have to refer configuration guide for further details.
They are system wide, not user by user basis.
I do not know if remedy removes just my license or it actually times out my 
session but
after the timeout on web if I need to access the consoles or requests it 
forces me to relogin again.


4. Concurrent User Sessions.

You can have concurrent user sessions only if  you are an admin or read 
restrict user.
You can stop giving readrestrict license to users if you do not want them 
to login from several IPs.
All other users are allowed only one active session from one IP address.
If the user tries to login from another server then remedy pops up a 
message.
Also you can write some custome workflow to store the user last login 
details in some remedy form and display on your consoles.

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"