CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
44.8%
The Wave EMBASSY Remote Administration Server (ERAS) contains the ERAS Help Desk application that fails to filter user input allowing for the exploitation of SQL injection vulnerabilities. These vulnerabilities may allow a remote authenticated attacker to execute procedures or SQL queries and updates on the vulnerable database application as well as command execution on the target server.
The ERAS 2.8.4 and 2.9.5 Help Desk application has been reported to contain vulnerabilities to blind SQL injection as well as command execution on the target server. The vulnerability requires that the attacker be authenticated in the application.
CWE-79 - Blind SQL Injection - CVE-2013-3577
A blind SQL injection attack may be performed against the ct100$4MainController$TextBoxSearchValue parameter or search box.
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) - CVE-2013-3578
A stacked query based SQL attack on the ct100$4MainController$TextBoxSearchValue parameter or search box allows for a remote authenticated attacker to execute commands on the server.
The CVSS scores below apply to CVE-2013-3578.
A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of the database. Additionally, an attacker may be able to execute operating system commands on the server, potentially allowing them to gain control of the server itself.
Apply an Update
Additional input validation checks were implemented in ERAS 2.9.5 Service packs 1 and 2 to fix these vulnerabilities. All users with ERAS deployments should upgrade on Wave’s support website. Users will also receive a notice from Wave with links to the patch.
Affected versions:
* ERAS 2.8.4 Help Desk
* ERAS 2.9.5 Help Desk
User Management
This vulnerability requires authentication to exploit. Enforce strong user permissions to minimize the attack surface.
217836
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: May 14, 2013 Updated: July 18, 2013
Statement Date: July 17, 2013
Affected
Security Advisory WAVE-2013-001
`Severity: Moderate
Affected products:
ERAS 2.8.4 Helpdesk
ERAS 2.9.5 Helpdesk
CERT Vulnerability Note: <http://www.kb.cert.org/vuls/id/217836>
Details
=====
Input validation vulnerabilities were discovered in ERAS helpdesk. A remote
authenticated privileged administrator could possibly use these vulnerabilities
to perform an SQL injection attack allowing them to directly manipulate the
contents of the ERAS database or execute arbitrary commands on the database
server. (CVE-2013-3577 CVE-2013-3578)
By design, only privileged administrators may access the ERAS Help Desk and
each enterprise manages the list of privileged administrators. This
vulnerability can only be exploited by those privileged administrator accounts.
Enforcing strong user permissions for those accounts can help mitigate the
vulnerability by minimizing the attack surface.
Customers are advised to upgrade to ERAS 2.9.5 Service Pack 2, which resolves
these issues.
Solution
======
Additional input validation checks were implemented in ERAS 2.9.5 Service Packs
1 and 2 to fix these vulnerabilities. All customers with ERAS deployments
should upgrade to ERAS 2.9.5 SP2 which is available from
<http://www.wave.com/support>
`
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.5 | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Temporal | 5.1 | E:POC/RL:OF/RC:C |
Environmental | 1.3 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Simone Cecchini from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering this vulnerability. Also, thanks to Thierry Zoller from Verizon Enterprise Solutions for reporting this vulnerability.
This document was written by Chris King.
CVE IDs: | CVE-2013-3577, CVE-2013-3578 |
---|---|
Date Public: | 2013-07-12 Date First Published: |