lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 20 May 2018 15:53:07 -0700
From: Xiaoran Wang via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] JDA Connect Multiple Critical Vulnerabilities

Introduction
============
Multiple critical vulnerabilities were identified in JDA Connect.
The vulnerabilities were discovered during a
black box security assessment and therefore the vulnerability list
should not be considered exhaustive.

Affected Software and Versions
==============================
   - Tested with JDA Connect (most recent version at the date of July 2017)
   - All vulnerabilities are fixed as of patch 2017.2

CVE
===
No CVEs have been assigned yet.

Author
======
The vulnerabilities were discovered by Xiaoran Wang from Google Security
Team.

Credit
======
The author would like to thank John Vrankovich from JDA for coordinating
the security fixes promptly and diligently.

Vulnerability Overview
======================
CNT-01 - Privileged remote command execution through open CORS policies
CNT-02 - No CSRF protection on hawtio web portal
CNT-03 - Unauthenticated JMX service listening on all interfaces


Vulnerability Details
=====================
----------------------------------------------------------------------------
CNT-01 - Privileged remote command execution through open CORS policies
----------------------------------------------------------------------------
Severity: CRITICAL

The hawtio admin web portal running on port 8181 has a insecure wide open
“Access-Control-Allow-Origin” setting and it allows any arbitrary origin to
access its data by echoing back “Access-Control-Allow-Origin:
attacker-supplied-origin” and “Access-Control-Allow-Credentials: true”.
This allows the attacker to communicate with the vulnerable website from an
attacker’s website as if they were on the same origin. This enables the
attacker to take send and receive any request this website accepts because
it’s cookie authenticated. Example requests include dumping heap memory,
reading/writing JVM options, reading/writing object values, installing
arbitrary features/bundles, and the servlet handler runs as root.

----------------------------------------------------------------------------
CNT-02 - No CSRF protection on hawtio web portal
----------------------------------------------------------------------------
Severity: HIGH

The hawtio admin web portal running on port 8181 does not have any CSRF
protection, leading to the same results as the previous vulnerability, such
as installing arbitrary packages, reading/writing JVM memory, etc.

----------------------------------------------------------------------------
CNT-03 - Unauthenticated JMX service listening on all interfaces
----------------------------------------------------------------------------
Severity: HIGH

The JDA Connect Java daemon has a JMX server that listens on all interfaces
without authentication. Using tools like jconsole, one could read and write
the values of objects in the entire application, possibly leading to
arbitrary command execution. For example, the Java process is started with
the following options.
-Dcom.sun.management.jmxremote.port=1616
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists