Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Wave EMBASSY Remote Administration Server SQL injection vulnerabilities
Informations
Name VU#217836 First vendor Publication 2013-07-12
Vendor VU-CERT Last vendor Modification 2013-07-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#217836

Wave EMBASSY Remote Administration Server SQL injection vulnerabilities

Original Release date: 12 Jul 2013 | Last revised: 29 Jul 2013

Overview

The Wave EMBASSY Remote Administration Server (ERAS) contains the ERAS Help Desk application that fails to filter user input allowing for the exploitation of SQL injection vulnerabilities. These vulnerabilities may allow a remote authenticated attacker to execute procedures or SQL queries and updates on the vulnerable database application as well as command execution on the target server.

Description

The ERAS 2.8.4 and 2.9.5 Help Desk application has been reported to contain vulnerabilities to blind SQL injection as well as command execution on the target server. The vulnerability requires that the attacker be authenticated in the application.

CWE-79 - Blind SQL Injection - CVE-2013-3577
A blind SQL injection attack may be performed against the ct100$4MainController$TextBoxSearchValue parameter or search box.

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2013-3578
A stacked query based SQL attack on the ct100$4MainController$TextBoxSearchValue parameter or search box allows for a remote authenticated attacker to execute commands on the server.

Impact

A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of the database. Additionally, an attacker may be able to execute operating system commands on the server, potentially allowing them to gain control of the server itself.

Solution

Apply an Update

Additional input validation checks were implemented in ERAS 2.9.5 Service packs 1 and 2 to fix these vulnerabilities. All users with ERAS deployments should upgrade on Wave's support website. Users will also receive a notice from Wave with links to the patch.

Affected Versions

  • ERAS 2.8.4 Help Desk
  • ERAS 2.9.5 Help Desk

    Please consider the following workarounds if you are unable to upgrade.

  • User Management
    This vulnerability requires authentication to exploit. Enforce strong user permissions to minimize the attack surface.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    WaveAffected14 May 201318 Jul 2013
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    GroupScoreVector
    Base7.7AV:A/AC:L/Au:S/C:C/I:C/A:C
    Temporal6.0E:POC/RL:OF/RC:C
    Environmental1.8CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

    References

    • http://cwe.mitre.org/data/definitions/79.html
    • http://cwe.mitre.org/data/definitions/78.html
    • http://www.us-cert.gov/security-publications/sql-injection
    • http://www.wave.com/products/embassy-remote-administration-server-self-encrypting-drives

    Credit

    Thanks to Simone Cecchini from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering this vulnerability. Also, thanks to Thierry Zoller from Verizon Enterprise Solutions for reporting this vulnerability.

    This document was written by Chris King.

    Other Information

    • CVE IDs:CVE-2013-3577CVE-2013-3578
    • Date Public:12 Jul 2013
    • Date First Published:12 Jul 2013
    • Date Last Updated:29 Jul 2013
    • Document Revision:23

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Original Source

    Url : http://www.kb.cert.org/vuls/id/217836

    CWE : Common Weakness Enumeration

    % Id Name
    67 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
    33 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

    CPE : Common Platform Enumeration

    TypeDescriptionCount
    Application 1
    Application 1

    Alert History

    If you want to see full details history, please login or register.
    0
    1
    2
    Date Informations
    2013-07-29 17:22:24
    • Multiple Updates
    2013-07-16 21:21:37
    • Multiple Updates
    2013-07-12 17:18:07
    • First insertion