Level Platforms, Inc. Service Center Install Data HTTP Vulnerability

2008.02.19
Credit: Brook Powers
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

TECHSERVE, INC. www.tech-serve.com SECURITY ADVISORY Advisory Name: Level Platforms, Inc. Service Center Install Data HTTP Vulnerability Release Date: 01/08/2008 Platform: Managed Workplace Service Center Application: Version Number(s): 4.x, 5.x and 6.x Severity: Ability to remotely determine version, build, service pack, hot fix levels and times and dates each were installed Author(s): Brook Powers, Sr. Network Engineer (bpowers@tech-serve dot com) Vendor Status: Vendor Notified February 1st, 2008 CVE Candidate: CVE-2008-0636 Reference: http://www.tech-serve.com/research/advisories/2008/ Overview: ========= Level Platforms, Inc. (LPI) flagship product Managed Workplace Service Center, which provides remote monitoring, reporting and alerting of device & network status. The software is typically used by Managed Service Providers and large IT departments. There is also a hosted version offered through Ingram Micro. LPI's software has two components, a Service Center (server) component, and a Onsite Manager (client) component. The Service Center is typically installed at a MSP's facility. The Service Center software sends & receives data with one or more Onsite Manager software installations (typically deployed at remote networks). The Service Center software also provides a central console for management, monitoring, reporting and alerting. There exists at least one vulnerability in the Service Center software that allows an attacker to remotely determine a wide variety of potentially useful information via an HTTP URL. Detailed Description: ===================== A default install of the software handling the URL: "http[s]://<SERVICE CENTER NAME>/About/SC_About.htm" enumerates the following information without first checking to see if the source of the command is authenticated (The <SERVICE CENTER NAME> is the name that has been assigned to the Service Center website); -Version -Build -Applied service packs -Applied Hot Fixes -The date and time each were installed. Exploitation of this vulnerability provides an with attacker potentially useful information that could be leveraged to attack the host, clients or other resource to which they have access. A Google search using the phrase "/About/SC_About.htm" enumerates vulnerable systems. No information has been provided to support any benefit achieved by making this information publically available. At this time, we are unaware of any other file permissions, cgi's or SQL databases that do not verify submitted commands against authorized users, however we believe it reasonable to assume others may exist. We have not tested all versions or builds of the software, but have reproduced the vulnerability in versions 4, 5 and 6. A full audit of the software is in progress. Any additional security risks, if discovered, will be made available publically, subsequent to vendor notification. Vendor Response: ================ This issue was reported to LPI by email on February 1, 2008. On February 5, 2008 the following reply was received; "Thank you for your input. I have forwarded this email over to our development team for their consideration. Regards,..." On February 6, 2008 the following reply was received; "...Our development team is aware is this particular issue, and should be addressing it, just want to let you know that having access to your build/version number isn't hazardous to your managed services business..." Our Recommendation: =================== 1. There is no reason to give away the version/build number and every reason to keep it confidential. Reduce the attack surface wherever possible or practical. 2. Take steps to prevent publishing or exposing any unnecessary or sensitive information that could be used to exploit your network. 3. Until the vulnerability is resolved by LPI; a)prevent or restrict IP level access to the Service Center website by restricting access to trusted IP ranges, or through VPN's. Note that preventing Onsite Manager access to the Service Center website will result in loss of functionality. b)review the security settings of each web page within Service Center. c)disallow indexing of the Service Center site by search engines using IP restrictions, robots.txt files or other measures For more info, see: =================== (Reserved for LPI advisory notice URL) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0636 Common Vulnerabilities and Exposures (CVE) Information: ======================================================= The Common Vulnerabilities and Exposures (CVE) project, sponsored by the U.S. Department of Homeland Security, National Cyber Security Division, has assigned the following name(s) to these issues; CVE-2008-0636 These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security issues. Copyright 2008 Techserve, Inc. - All rights reserved. End


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top