search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability

Vulnerability Note VU#893462

Original Release Date: 2013-11-22 | Last Revised: 2017-10-18

Overview

Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).

Description

CWE-94: Improper Control of Generation of Code ('Code Injection')

Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability. By default, this software package is configured to run with system privileges. A remote unauthenticated attacker can craft a URL that utilizes the software's file import function to upload malicious files or execute arbitrary code.

For example:
http://www.example.com/VhttpdMgr?action=importFile&fileName={BACKDOOR}

Impact

A remote unauthenticated attacker may be able to upload malicious files or execute arbitrary code with system privileges.

Solution

Update

Thomson Reuters has released hotfix 6429: Security fix hot-fix for Velocity Analytics to address this vulnerability. Users affected by this vulnerability are advised to to download the fix from the from the Customer Zone.

Restrict access to the Analytic Server interface

Restrict access to the Thomson Reuters Velocity Analytics Vhayu Analytic Server interface to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.

Vendor Information

893462
Expand all

Thomson Reuters

Notified:  October 16, 2013 Updated:  January 23, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

For customers who have TREP-VA deployed on platforms which are in trusted networks and do not allow inbound connections from untrusted networks, the http interface would not be vulnerable.

Vendor References

https://customers.reuters.com/a/support/technical/softwaredownload/download.aspx?productVersionReleaseId=20287 https://customers.reuters.com/a/support/paz/Default.aspx?pId=9117

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.3 E:U/RL:W/RC:UC
Environmental 1.8 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Eduardo Gonzalez Lainez for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-5912
Date Public: 2013-11-21
Date First Published: 2013-11-22
Date Last Updated: 2017-10-18 17:27 UTC
Document Revision: 37

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.