EMC SourceOne ASP.NET application tracing information disclosure vulnerability
| Published | Credit |
Risk |
| 2011.05.25 |
Security_Alert emc com |
Low |
| CVSS Base Score |
Impact Subscore |
| Exploitability Subscore |
| 3.5/10 |
2.9/10 |
| 6.8/10 |
| Exploit range |
Attack complexity |
| Authentication |
| Remote |
Medium |
| Single time |
| Confidentiality impact |
Integrity impact |
| Availability impact |
| Partial |
None |
| None |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-016: EMC SourceOne ASP.NET application tracing information disclosure vulnerability.
EMC Identifier: ESA-2011-016
CVE Identifier: CVE-2011-1424
Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
Affected products:
EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.5.2.3668 (SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Notes/Domino 6.5.2.3668 (SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.6.0.1209 (HF1) and earlier
EMC SW: EMC SourceOne Email Management for Notes/Domino 6.6.0.1209 (HF1) and earlier
NOTE: New installations using SourceOne Email Management 6.6 SP1 and later are not affected by this issue.
This ESA applies only to SourceOne customers using the Mobile Services component of SourceOne Email Management. The
Mobile Services component is included in the EMC SourceOne Email Management software kit and is used only in the
following environments:
EMC SourceOne Email Management
EMC SourceOne for File Systems
Vulnerability Summary:
EMC SourceOne Email Management may allow the disclosure of application-sensitive information using ASP.NET Application
Tracing
Vulnerability Details:
The ASP.NET application trace is enabled in affected versions of EMC SourceOne Email Management. This trace file may
contain application-sensitive information that can be accessed by a remote user. Authentication is required to access
the trace file.
Problem Resolution:
A manual change is required on each Microsoft Windows IIS web server on which EMC SourceOne Mobile Services software is
installed. This manual change is required for all existing installations of affected versions, even if the server has
been upgraded to a non-affected version. Follow these steps to make the required change:
1. Open Windows Explorer and browse to the ExShortcut install directory. By default, this directory is the
SourceOneInstallDrive:\SourceOneInstallDirectory\ExShortcut.
2. Right click on the Web.config file and click "Open With" then choose "Notepad".
3. Once the document has loaded into Notepad, find the following line:
<trace enabled="true" requestLimit="40" localOnly="false"/>
4. Change this line so that it is identical to the following:
<trace enabled="false" requestLimit="40" localOnly="true"/>
5. Save the Web.config document.
NOTE: New installations using SourceOne Email Management 6.6 SP1 and later are not affected by this issue.
At the earliest opportunity, EMC strongly recommends all customers apply the mitigation steps above to resolve the
issue.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take
into account both the base score and any relevant temporal and environmental scores which may impact the potential
severity associated with particular security vulnerability.
EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC
products important security information. EMC recommends all users determine the applicability of this information to
their individual situations and take appropriate action. The information set forth herein is provided "as is"
without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of
merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or
special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not
allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may
not apply.
EMC Product Security Response Center
Security_Alert (at) EMC (dot) com [email concealed]
http://www.emc.com/contact-us/contact/product-security-response-center.h
tm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
iEYEARECAAYFAk3NiMsACgkQtjd2rKp+ALy6CwCgy3v/1iNkOawktuot4qMHLO55
LZUAnRxRz5r34ZR2xIdUWWIV1gMqQ/yF
=sx7o
-----END PGP SIGNATURE-----
ASCII VERSION
|
