Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title BMC Track-It! contains multiple vulnerabilities
Informations
Name VU#121036 First vendor Publication 2014-10-07
Vendor VU-CERT Last vendor Modification 2014-10-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#121036

BMC Track-It! contains multiple vulnerabilities

Original Release date: 07 Oct 2014 | Last revised: 27 Oct 2014

Overview

BMC Track-It! version 11.3.0.355 contains multiple vulnerabilities

Description

CWE-306: Missing Authentication for Critical Function - CVE-2014-4872

BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result. The exposed service FileStorageService allows for arbitrary file upload and code execution. The exposed service ConfigurationService allows for retrieval of configuration files which contain both application and domain credentials.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-4873
An authenticated user can engage in blind SQL Injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page.

CWE-264: Permissions, Privileges, and Access Controls - CVE-2014-4874
A remote authenticated user can download arbitrary files on the /TrackItWeb/Attachment page.

The vendor, BMC, has issued the following statement:

BMC has issued an advisory to all Track-IT customers with the details of the disclosed vulnerabilities and the availability of hotfixes.
Resolved issues:

  • CWE-89: SQL Injection - CVE-2014-4873
    • Hotfix available
    • See Article ID TIA07454 on Numara support site
  • CWE-264: Arbitrary file download - CVE-2014-4874
    • Hotfix available
    • See Article ID TIA07453 on Numara support site
    Resolutions under development:
  • CWE-306: Improper Authentication for .NET services - CVE-2014-4872
    • Until hotfixes are available we recommend that you block all communications from untrusted networks to TCP/UDP ports 9010 to 9020. This will also block SelfService and trackitweb from being used from external networks.
    • See Articles TIA07456, TIA07457. And TIA07455 for current status
    If you have any questions regarding this security notification, please contact Track-It! Support by opening a case at: https://support.numarasoftware.com/

    The CVSS score reflects CVE-2014-4872.

  • Impact

    A remote unauthenticated attacker may be able to upload and download arbitrary files and execute arbitrary code.

    Solution

    Apply an Update
    BMC has issued several hotfixes and recommendations to mitigate these vulnerabilities. Please see the statement above for details.

    Use a Firewall
    Using a firewall to block inbound requests to port 9010 will prevent access to the vulnerable methods, although it may interfere with normal program operation.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    BMC SoftwareAffected21 Aug 201427 Oct 2014
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    GroupScoreVector
    Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
    Temporal8.1E:F/RL:W/RC:UC
    Environmental6.1CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    • http://cwe.mitre.org/data/definitions/89.html
    • http://cwe.mitre.org/data/definitions/306.html
    • http://cwe.mitre.org/data/definitions/264.html
    • http://www.trackit.com/

    Credit

    Thanks to Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security for reporting this vulnerability.

    This document was written by Chris King.

    Other Information

    • CVE IDs:CVE-2014-4872CVE-2014-4873CVE-2014-4874
    • Date Public:07 Oct 2014
    • Date First Published:07 Oct 2014
    • Date Last Updated:27 Oct 2014
    • Document Revision:20

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Original Source

    Url : http://www.kb.cert.org/vuls/id/121036

    CWE : Common Weakness Enumeration

    % Id Name
    33 % CWE-306 Missing Authentication for Critical Function (CWE/SANS Top 25)
    33 % CWE-200 Information Exposure
    33 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

    CPE : Common Platform Enumeration

    TypeDescriptionCount
    Application 1

    ExploitDB Exploits

    id Description
    2014-10-09 BMC Track-It! - Multiple Vulnerabilities

    Snort® IPS/IDS

    Date Description
    2015-02-24 BMC Track-It FileStorageService directory traversal attempt
    RuleID : 33197 - Revision : 4 - Type : SERVER-OTHER

    Alert History

    If you want to see full details history, please login or register.
    0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    Date Informations
    2020-05-23 13:17:15
    • Multiple Updates
    2016-03-03 21:24:46
    • Multiple Updates
    2016-03-03 17:22:00
    • Multiple Updates
    2014-11-14 13:24:30
    • Multiple Updates
    2014-10-27 21:21:50
    • Multiple Updates
    2014-10-15 21:27:03
    • Multiple Updates
    2014-10-11 09:29:56
    • Multiple Updates
    2014-10-10 17:29:32
    • Multiple Updates
    2014-10-10 13:23:58
    • Multiple Updates
    2014-10-07 21:23:49
    • First insertion