Executive Summary
| Summary | |
|---|---|
| Title | SAP BusinessObjects Axis2 Default Admin Password |
| Informations | |||
|---|---|---|---|
| Name | VU#989719 | First vendor Publication | 2010-10-13 |
| Vendor | VU-CERT | Last vendor Modification | 2010-10-14 |
| Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Vulnerability Note VU#989719SAP BusinessObjects Axis2 Default Admin PasswordOverviewThe Axis2 component of SAP BusinessObjects contains a default administrator account and password.I. DescriptionThe SAP BusinessObjects product contains a module (dswsbobje.war) which deploys Axis2 with an administrator account which is configured with a static password. As a result, anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations. Additional details may be found in the Rapid7 R7-0037 Advisory.II. ImpactAn attacker can execute arbitrary code by creating a malicious web service (jar). The attacker can log in to the Axis2 component with the default admin account, upload the malicious web service, and upon restart the malicious code will be executed.III. SolutionThe vendor has addressed this vulnerability in SAP Security Note 1432881.Users should change the admin default password. This can be done by modifying the password value within axis2.xml
Referenceshttp://www.rapid7.com/security-center/advisories/R7-0037.jsp Thanks to Joshua Abraham and Will Vandevanter for reporting this vulnerability. This document was written by Jared Allar.
|
Original Source
| Url : http://www.kb.cert.org/vuls/id/989719 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 7 | |
| Application | 1 |
SAINT Exploits
| Description | Link |
|---|---|
| CA ARCserve D2D Axis2 default password | More info here |
| HP Universal CMDB Server Axis2 default password | More info here |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 68662 | SAP BusinessObjects Axis2 dswsbobje.war Module Admin Account Default Password By default, SAP BusinessObjects's dswsbobje.war module deploys axis2 with a default password. The admin account has a password of axis2 which is publicly known and documented. This allows a remote attacker to execute arbitrary code by uploading a crafted web service. |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2011-02-17 | IAVM : 2011-B-0020 - Computer Associates ARCserve Password Security Bypass Vulnerability Severity : Category I - VMSKEY : V0026075 |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | CA ARCserve Axis2 default credential login attempt RuleID : 18985 - Revision : 13 - Type : POLICY-OTHER |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-05-27 | Name : The remote web server hosts a web application that uses default credentials. File : apache_axis2_default_creds.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:08:21 |
|
