Symantec LiveUpdate Administrator 2.3.2.99 Password Reset / SQL Injection

2014.03.29
Credit: Stefan
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-1645 | CVE-2014-1644
CWE: CWE-89

SEC Consult Vulnerability Lab Security Advisory < 20140328-0 > ======================================================================= title: Multiple critical vulnerabilities product: Symantec LiveUpdate Administrator vulnerable version: <= 2.3.2.99 fixed version: 2.3.2.110 impact: critical CVE number: CVE-2014-1644, CVE-2014-1645 homepage: http://www.symantec.com found: 2014-01-02 by: Stefan Viehbck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "LiveUpdate Administrator is an enterprise Web application that allows you to manage updates on multiple internal Central Update servers, called Distribution Centers. Using LiveUpdate Administrator, you download updates to the Manage Updates folder, and then send the updates to production distribution servers for Update clients to download, or to testing distribution centers, so that the updates can be tested before they are distributed to production. Source: http://www.symantec.com/connect/articles/knowledgebase-articles-liveupdate-administrator-lua Business recommendation: ------------------------ Attackers are able to compromise LiveUpdate Administrator at the application and database levels. This enables access to credentials of update servers on the network. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated arbitrary account password reset (CVE-2014-1644) The reset password is not properly protected and allows unauthenticated attackers to reset passwords of arbitrary users. Using this vulnerability an attacker can gain full access to the LiveUpdate Administrator web interface. An attacker can use this vulnerability to retrieve usernames/passwords of internal LiveUpdate servers and execute attacks against those servers. 2) Unauthenticated SQL injection (CVE-2014-1645) Several SQL injection vulnerabilities were discovered in the application. These vulnerabilities allow attackers to exfiltrate database contents (including user names, passwords, server credentials) and possibly to compromise the host system as well. Proof of concept: ----------------- 1) Unauthenticated arbitrary account password reset (CVE-2014-1644) The following request shows how the password of the user with the email address "foo@bar.com" can be set to "11111111". Affected script: /lua/forcepasswd.do Detailed proof of concept exploits have been removed for this vulnerability. 2) Unauthenticated SQL injection (CVE-2014-1645) The following request shows how the SQL injection in the password reset functionality can be exploited (blind, timing). Affected script: /lua/forcepasswd.do Detailed proof of concept exploits have been removed for this vulnerability. The password recovery functionality (/loginforgotpwd)is vulnerable to SQL injection as well. Several DAO methods show incorrect use of prepared statements and were not investigated further. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Symantec LiveUpdate Administrator version 12.1.4013, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-01-09: Sending advisory and proof of concept exploit via encrypted channel. 2014-01-09: Vendor acknowledges receipt of advisory. 2014-02-24: Requesting status update. 2014-02-25: Vendor confirms vulnerability. 2014-02-25: Vendor plans release in late march. 2014-03-25: Vendor provides schedule. 2014-03-27: Vendor provides CVE-IDs and releases fixed version. 2014-03-28: SEC Consult releases coordinated security advisory. Solution: --------- Update to the most recent version (2.3.2.110) of Symantec LiveUpdate Administrator. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140327_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehbck / @2014


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top