Vulnerability Note VU#217836

Wave EMBASSY Remote Administration Server SQL injection vulnerabilities

Original Release date: 12 Jul 2013 | Last revised: 29 Jul 2013

Overview

The Wave EMBASSY Remote Administration Server (ERAS) contains the ERAS Help Desk application that fails to filter user input allowing for the exploitation of SQL injection vulnerabilities. These vulnerabilities may allow a remote authenticated attacker to execute procedures or SQL queries and updates on the vulnerable database application as well as command execution on the target server.

Description

The ERAS 2.8.4 and 2.9.5 Help Desk application has been reported to contain vulnerabilities to blind SQL injection as well as command execution on the target server. The vulnerability requires that the attacker be authenticated in the application.

CWE-79 - Blind SQL Injection - CVE-2013-3577
A blind SQL injection attack may be performed against the ct100$4MainController$TextBoxSearchValue parameter or search box.

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2013-3578
A stacked query based SQL attack on the ct100$4MainController$TextBoxSearchValue parameter or search box allows for a remote authenticated attacker to execute commands on the server.

Impact

A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of the database. Additionally, an attacker may be able to execute operating system commands on the server, potentially allowing them to gain control of the server itself.

Solution

Apply an Update
Additional input validation checks were implemented in ERAS 2.9.5 Service packs 1 and 2 to fix these vulnerabilities. All users with ERAS deployments should upgrade on Wave's support website. Users will also receive a notice from Wave with links to the patch.

Affected Versions

  • ERAS 2.8.4 Help Desk
  • ERAS 2.9.5 Help Desk

    Please consider the following workarounds if you are unable to upgrade.

  • User Management
    This vulnerability requires authentication to exploit. Enforce strong user permissions to minimize the attack surface.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    WaveAffected14 May 201318 Jul 2013
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    Group Score Vector
    Base 7.7 AV:A/AC:L/Au:S/C:C/I:C/A:C
    Temporal 6.0 E:POC/RL:OF/RC:C
    Environmental 1.8 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

    References

    Credit

    Thanks to Simone Cecchini from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering this vulnerability. Also, thanks to Thierry Zoller from Verizon Enterprise Solutions for reporting this vulnerability.

    This document was written by Chris King.

    Other Information

    • CVE IDs: CVE-2013-3577 CVE-2013-3578
    • Date Public: 12 Jul 2013
    • Date First Published: 12 Jul 2013
    • Date Last Updated: 29 Jul 2013
    • Document Revision: 23

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.