EMC Centera Universal Access Input Validation Flaw in Login Module Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1020540
|
|
SecurityTracker URL: http://securitytracker.com/id?1020540
|
|
CVE Reference: CVE-2008-3370
(Links to External Site)
|
Updated: Aug 6 2008
|
Original Entry Date: Jul 23 2008
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): CUA4.0_4735.p4
|
Description: Lars Heidelberg and Aaron Brown of adMERITia reported a vulnerability in EMC Centera Universal Access. A remote user can inject SQL commands.
The CUA Module Login does not properly validate user-supplied input in the user name field. A remote user can supply a specially
crafted parameter value to execute SQL commands on the underlying database.
A remote user can exploit this to bypass authentication.
The
vendor was notified on May 20, 2008.
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: The vendor has issued a fix (CUA 4.0.1 Patch 1), available via on EMC Powerlink.
|
Vendor URL: www.emc.com/products/detail/software/emc-centera-universal-access.htm (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Aaron Brown <Aaron.Brown@admeritia.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Jul 2008 18:56:12 +0200
From: Aaron Brown <Aaron.Brown@admeritia.de>
Subject: Vulnerability Report: EMC Centera Universal Access
|
adMERITia Vulnerability Report
Vulnerability Information
Vendor: EMC²
Product: Centera Universal Access
Version: CUA4.0_4735.p4
Vulnerability Type: Software Flaw
Vulnerability: SQL Injection
Impact: Attacker can bypass the authentication method and will be logged in as an
arbitrary user. With specific knowledge of user names it is possible for an attacker
to choose the user he/she wishes to log in as without a password.
Description: The user name field of the CUA Module Login does not sanitize user
input allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is
possible to comment out the password check allowing an attacker to log in with the
first available user name in the table. After performing this several times or by
searching through the "Accounts" tab within the CUA Module an attacker can gather a
list of all users. With this list an attacker can select an administrator account
and log in with this by simply entering the user name followed by "--".
How Vulnerability can be reproduced:
For an arbitrary account enter the following in the user field: ' --
For a targeted account enter the following in the user field: valid_user_name' --
Release Information
Model: CENTERA_GEN_4
Software Version: CUA4.0_4735.p4
Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735
Fix: (quote from the vendor)
"The remedy for the reported problems has been released on 30 June 2008 and is
available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software
Download"."
Vendor URL: www.emc.com
Vendor Status:
Vendor was informed of the problem, and was very cooperative in getting a patch
developed for the problem. However, contact was broken off by the vendor after the
relevant patch was released. The vendor has not yet published an advisory stating
the reason for the latest patch or the discovered vulnerability in previous
versions. This vulnerability was brought to the attention of the vendor on May 20,
2008 under the policy of responsible disclosure as documented at
http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor did
not respond to requests to release a public advisory. Therefore we have taken the
initiative to alert the public through various security publications.
Credit for this vulnerability finding should be given to:
Lars Heidelberg, adMERITia GmbH
Aaron Brown, adMERITia GmbH
Disclaimer
The information within this document may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be liable
for any consequences whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information lays within the user's
responsibility.
Mit freundlichen Grüssen / With kind regards
Aaron Brown
aaron.brown@admeritia.de
adMERITia GmbH
Gladbacher Strasse 3
40764 Langenfeld
Tel: +49 (2173) 20363-0
Fax: +49 (2173) 20363-29
USt-ID-Nr.: DE255841996
Amtsgericht Düsseldorf HRB 57024
Geschäftsführer: Heiko Rudolph
Besuchen Sie uns im Internet auf http://www.admeritia.de.
**********************************************************
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten
bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen
Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme,
Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail
unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
Verbindung zu setzen.
This e-mail and any files transmitted with it are confidential and intended solely
for the use of the individual or organization to whom they are addressed. Should you
not be the intended addressee of this e-mail or his or her representative, please
note that publication, replication of the contents by any means or further
communication of the content is not permissible. Should you have received this
e-mail in error, please notify the sender.
|
|
