search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Wave EMBASSY Remote Administration Server SQL injection vulnerabilities

Vulnerability Note VU#217836

Original Release Date: 2013-07-12 | Last Revised: 2014-07-30

Overview

The Wave EMBASSY Remote Administration Server (ERAS) contains the ERAS Help Desk application that fails to filter user input allowing for the exploitation of SQL injection vulnerabilities. These vulnerabilities may allow a remote authenticated attacker to execute procedures or SQL queries and updates on the vulnerable database application as well as command execution on the target server.

Description

The ERAS 2.8.4 and 2.9.5 Help Desk application has been reported to contain vulnerabilities to blind SQL injection as well as command execution on the target server. The vulnerability requires that the attacker be authenticated in the application.

CWE-79 - Blind SQL Injection - CVE-2013-3577
A blind SQL injection attack may be performed against the ct100$4MainController$TextBoxSearchValue parameter or search box.

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2013-3578
A stacked query based SQL attack on the ct100$4MainController$TextBoxSearchValue parameter or search box allows for a remote authenticated attacker to execute commands on the server.

The CVSS scores below apply to CVE-2013-3578.

Impact

A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of the database. Additionally, an attacker may be able to execute operating system commands on the server, potentially allowing them to gain control of the server itself.

Solution

Apply an Update
Additional input validation checks were implemented in ERAS 2.9.5 Service packs 1 and 2 to fix these vulnerabilities. All users with ERAS deployments should upgrade on Wave's support website. Users will also receive a notice from Wave with links to the patch.

Affected versions:

    • ERAS 2.8.4 Help Desk
    • ERAS 2.9.5 Help Desk

Please consider the following workarounds if you are unable to upgrade.

User Management
This vulnerability requires authentication to exploit. Enforce strong user permissions to minimize the attack surface.

Vendor Information

217836
 

Wave Affected

Notified:  May 14, 2013 Updated: July 18, 2013

Statement Date:   July 17, 2013

Status

Affected

Vendor Statement

Security Advisory WAVE-2013-001

Severity: Moderate

Affected products:

  ERAS 2.8.4 Helpdesk

  ERAS 2.9.5 Helpdesk

CERT Vulnerability Note: 
http://www.kb.cert.org/vuls/id/217836

Details

=====

Input validation vulnerabilities were discovered in ERAS helpdesk. A remote
authenticated privileged administrator could possibly use these vulnerabilities
to perform an SQL injection attack allowing them to directly manipulate the
contents of the ERAS database or execute arbitrary commands on the database
server. (CVE-2013-3577 CVE-2013-3578)

By design, only privileged administrators may access the ERAS Help Desk and
each enterprise manages the list of privileged administrators.  This
vulnerability can only be exploited by those privileged administrator accounts.
Enforcing strong user permissions for those accounts can help mitigate the
vulnerability by minimizing the attack surface.

Customers are advised to upgrade to ERAS 2.9.5 Service Pack 2, which resolves
these issues.

Solution

======

Additional input validation checks were implemented in ERAS 2.9.5 Service Packs
1 and 2 to fix these vulnerabilities. All customers with ERAS deployments
should upgrade to ERAS 2.9.5 SP2 which is available from
http://www.wave.com/support

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal 5.1 E:POC/RL:OF/RC:C
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Simone Cecchini from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering this vulnerability. Also, thanks to Thierry Zoller from Verizon Enterprise Solutions for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3577, CVE-2013-3578
Date Public: 2013-07-12
Date First Published: 2013-07-12
Date Last Updated: 2014-07-30 05:54 UTC
Document Revision: 26

Sponsored by CISA.