CERTVU:846103Sungard eTRAKiT3 may be vulnerable to SQL injection
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.5%
Overview
According to the reporter, the Sungard eTRAKiT3 software version 3.2.1.17 may be vulnerable to SQL injection which may allow a remote unauthenticated attacker to run a subset of SQL commands against the back-end database.
Description
CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2016-6566
According to the reporter, the valueAsString parameter inside the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter is not properly validated. An unauthenticated remote attacker may be able to modify the POST request and insert a SQL query which may then be executed by the backend server. According to the reporter, eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.
Impact
A remote unauthenticated attacker may be able to run a subset of SQL commands against the back-end database.
Solution
Apply a patch
Sungard has provided the following statement:
SunGard Public Sector appreciates that this issue has been brought to our attention. Our development team has addressed this report with a patch release. Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release. (858) 451-3030.
However, affected users may also consider the following workaround:
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.
Vendor Information
846103
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Sungard __ Affected
Notified: October 21, 2016 Updated: December 12, 2016
Statement Date: December 09, 2016
Status
Affected
Vendor Statement
SunGard Public Sector appreciates that this issue has been brought to our attention. Our development team has addressed this report with a patch release. Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release. (858) 451-3030.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 8 | E:POC/RL:U/RC:UR |
| Environmental | 6.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
<http://www.sungardps.com/solutions/trakit/>
Acknowledgements
Thanks to Illumant for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2016-6566 |
|---|---|
| Date Public: | 2016-12-06 Date First Published: |
References
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.5%