TECHSERVE, INC.
www.tech-serve.com
SECURITY ADVISORY
Advisory Name: Level Platforms, Inc. Service Center Install Data HTTP
Vulnerability
Release Date: 01/08/2008
Platform: Managed Workplace Service Center
Application: Version Number(s): 4.x, 5.x and 6.x
Severity: Ability to remotely determine version, build, service
pack, hot fix levels and times and dates each were installed
Author(s): Brook Powers, Sr. Network Engineer (bpowers@tech-serve
dot com)
Vendor Status: Vendor Notified February 1st, 2008
CVE Candidate: CVE-2008-0636
Reference: http://www.tech-serve.com/research/advisories/2008/
Overview:
=========
Level Platforms, Inc. (LPI) flagship product Managed Workplace Service
Center, which provides remote monitoring, reporting and alerting of
device & network status. The software is typically used by Managed
Service Providers and large IT departments. There is also a hosted
version offered through Ingram Micro.
LPI's software has two components, a Service Center (server) component,
and a Onsite Manager (client) component. The Service Center is typically
installed at a MSP's facility. The Service Center software sends &
receives data with one or more Onsite Manager software installations
(typically deployed at remote networks). The Service Center software
also provides a central console for management, monitoring, reporting
and alerting.
There exists at least one vulnerability in the Service Center software
that allows an attacker to remotely determine a wide variety of
potentially useful information via an HTTP URL.
Detailed Description:
=====================
A default install of the software handling the URL:
"http[s]://<SERVICE CENTER NAME>/About/SC_About.htm"
enumerates the following information without first checking to see if
the source of the command is authenticated (The <SERVICE CENTER NAME> is
the name that has been assigned to the Service Center website);
-Version
-Build
-Applied service packs
-Applied Hot Fixes
-The date and time each were installed.
Exploitation of this vulnerability provides an with attacker potentially
useful information that could be leveraged to attack the host, clients
or other resource to which they have access.
A Google search using the phrase "/About/SC_About.htm" enumerates
vulnerable systems.
No information has been provided to support any benefit achieved by
making this information publically available.
At this time, we are unaware of any other file permissions, cgi's or SQL
databases that do not verify submitted commands against authorized
users, however we believe it reasonable to assume others may exist. We
have not tested all versions or builds of the software, but have
reproduced the vulnerability in versions 4, 5 and 6.
A full audit of the software is in progress. Any additional security
risks, if discovered, will be made available publically, subsequent to
vendor notification.
Vendor Response:
================
This issue was reported to LPI by email on February 1, 2008.
On February 5, 2008 the following reply was received; "Thank you for
your input. I have forwarded this email over to our development team
for their consideration. Regards,..."
On February 6, 2008 the following reply was received; "...Our
development team is aware is this particular issue, and should be
addressing it, just want to let you know that having access to your
build/version number isn't hazardous to your managed services
business..."
Our Recommendation:
===================
1. There is no reason to give away the version/build number and every
reason to keep it confidential. Reduce the attack surface wherever
possible or practical.
2. Take steps to prevent publishing or exposing any unnecessary or
sensitive information that could be used to exploit your network.
3. Until the vulnerability is resolved by LPI;
a)prevent or restrict IP level access to the Service Center
website by restricting access to trusted IP ranges, or through VPN's.
Note that preventing Onsite Manager access
to the Service Center website will result in loss of functionality.
b)review the security settings of each web page within
Service Center.
c)disallow indexing of the Service Center site by search
engines using IP restrictions, robots.txt files or other measures
For more info, see:
===================
(Reserved for LPI advisory notice URL)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0636
Common Vulnerabilities and Exposures (CVE) Information:
=======================================================
The Common Vulnerabilities and Exposures (CVE) project, sponsored by the
U.S. Department of Homeland Security, National Cyber Security Division,
has assigned the following name(s) to these issues;
CVE-2008-0636
These are candidates for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security issues.
Copyright 2008 Techserve, Inc. - All rights reserved.
End