search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Misys FusionCapital Opics Plus contains multiple vulnerabilities

Vulnerability Note VU#682704

Original Release Date: 2016-07-19 | Last Revised: 2016-08-08

Overview

Misys FusionCapital Opics Plus is used by regional and local financial institutions to manage treasuries. FusionCapital Opics Plus contains several vulnerabilities.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-5653

According to the reporter, an authenticated but low privileged user may exploit a SQL Injection in the "ID" and "Branch" parameters of a search and enumerate the full database.

CWE-280: Improper Handling of Insufficient Permissions or Privileges - CVE-2016-5654

According to the reporter, a remote authenticated attacker able to execute a man-in-the-middle attack may be able to tamper with the "xmlMessageOut" parameter of a client POST request to escalate privileges to administrator.

CWE-295: Improper Certificate Validation - CVE-2016-5655

According to the reporter, a remote unauthenticated attacker able to execute a man-in-the-middle attack may be able to present an alternate SSL certificate and therefore decrypt all traffic between the client and FusionCapital Opics Plus server.

Misys has responded to these issues with the following statement:

Misys has analysed the reported vulnerabilities and determined that they could
relate to a specific older version, but not for all versions, of one of our
applications, with the matter being rectified with a user configuration change
or non-emergency software patch.  In short, we identified that the sql
injection vulnerability is true positive and the other two reported
vulnerabilities are misconfigurations.  For more information, our Opics clients
are being directed to contact their Misys Customer Advocate.

Impact

An authenticated attacker may be able escalate privileges to administrator, or perform full searches on the database. An unauthenticated attacker may be able decrypt SSL traffic between the client and server.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information

682704
Expand all

Misys

Notified:  April 26, 2016 Updated:  July 29, 2016

Statement Date:   July 27, 2016

Status

  Affected

Vendor Statement

Misys has analysed the reported vulnerabilities and determined that they could
relate to a specific older version, but not for all versions, of one of our
applications, with the matter being rectified with a user configuration change
or non-emergency software patch.  In short, we identified that the sql
injection vulnerability is true positive and the other two reported
vulnerabilities are misconfigurations.  For more information, our Opics clients
are being directed to contact their Misys Customer Advocate.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal 7.7 E:POC/RL:U/RC:C
Environmental 2.2 CDP:H/TD:L/CR:H/IR:H/AR:H

References

Credit

Thanks to Wissam Bashour for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-5653, CVE-2016-5654, CVE-2016-5655
Date Public: 2016-07-19
Date First Published: 2016-07-19
Date Last Updated: 2016-08-08 14:22 UTC
Document Revision: 45

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.