search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BMC Track-It! contains multiple vulnerabilities

Vulnerability Note VU#121036

Original Release Date: 2014-10-07 | Last Revised: 2014-10-27

Overview

BMC Track-It! version 11.3.0.355 contains multiple vulnerabilities

Description

CWE-306: Missing Authentication for Critical Function - CVE-2014-4872

BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result. The exposed service FileStorageService allows for arbitrary file upload and code execution. The exposed service ConfigurationService allows for retrieval of configuration files which contain both application and domain credentials.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-4873
An authenticated user can engage in blind SQL Injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page.

CWE-264: Permissions, Privileges, and Access Controls - CVE-2014-4874
A remote authenticated user can download arbitrary files on the /TrackItWeb/Attachment page.

The vendor, BMC, has issued the following statement:

BMC has issued an advisory to all Track-IT customers with the details of the disclosed vulnerabilities and the availability of hotfixes.
Resolved issues:

    • CWE-89: SQL Injection - CVE-2014-4873
    • Hotfix available
    • See Article ID TIA07454 on Numara support site
    • CWE-264: Arbitrary file download - CVE-2014-4874
    • Hotfix available
    • See Article ID TIA07453 on Numara support site
Resolutions under development:
    • CWE-306: Improper Authentication for .NET services - CVE-2014-4872
    • Until hotfixes are available we recommend that you block all communications from untrusted networks to TCP/UDP ports 9010 to 9020. This will also block SelfService and trackitweb from being used from external networks.
    • See Articles TIA07456, TIA07457. And TIA07455 for current status
If you have any questions regarding this security notification, please contact Track-It! Support by opening a case at: https://support.numarasoftware.com/

The CVSS score reflects CVE-2014-4872.

Impact

A remote unauthenticated attacker may be able to upload and download arbitrary files and execute arbitrary code.

Solution

Apply an Update
BMC has issued several hotfixes and recommendations to mitigate these vulnerabilities. Please see the statement above for details.

Use a Firewall
Using a firewall to block inbound requests to port 9010 will prevent access to the vulnerable methods, although it may interfere with normal program operation.

Vendor Information

121036
 
Affected   Unknown   Unaffected

BMC Software

Notified:  August 21, 2014 Updated:  October 27, 2014

Status

  Affected

Vendor Statement

BMC has issued an advisory to all Track-IT customers with the details of the disclosed vulnerabilities and the availability of hotfixes.

Resolved issues:

    • CWE-89: SQL Injection - CVE-2014-4873
    • Hotfix available
    • See Article ID TIA07454 on Numara support site
    • CWE-264: Arbitrary file download - CVE-2014-4874
    • Hotfix available
    • See Article ID TIA07453 on Numara support site
Resolutions under development:
    • CWE-306: Improper Authentication for .NET services - CVE-2014-4872
    • Until hotfixes are available we recommend that you block all communications from untrusted networks to TCP/UDP ports 9010 to 9020. This will also block SelfService and trackitweb from being used from external networks.
    • See Articles TIA07456, TIA07457. And TIA07455 for current status
If you have any questions regarding this security notification, please contact Track-It! Support by opening a case at: https://support.numarasoftware.com/

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:F/RL:W/RC:UC
Environmental 6.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-4872, CVE-2014-4873, CVE-2014-4874
Date Public: 2014-10-07
Date First Published: 2014-10-07
Date Last Updated: 2014-10-27 19:31 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.