[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bd6dc36f-45bf-990d-c3b6-70a59d2cc94c@sec-consult.com>
Date: Thu, 24 Jan 2019 23:57:28 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20190124-0 :: Cross-site scripting in CA
Automic Workload Automation Web Interface (AWI)
SEC Consult Vulnerability Lab Security Advisory < 20190124-0 >
=======================================================================
title: Cross-site scripting
product: CA Automic Workload Automation Web Interface (AWI)
(formerly Automic Automation Engine, UC4)
vulnerable version: 12.0, 12.1, 12.2
fixed version: 12.0.6 HF2, 12.1.3 HF3, 12.2.1 HF1
CVE number: CVE-2019-6504
impact: medium
homepage: https://www.ca.com
found: 2018-10-15
by: Marc Nimmerrichter (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The modern enterprise needs to orchestrate a complex, diverse landscape of
applications, platforms and technologies. Workload automation can prove a
critical differentiator, but only if it provides intelligent automation driven
by data analytics.
[...]
CA Automic Workload Automation gives you the agility, speed, visibility and
scalability needed to respond to the constantly changing technology landscape.
It centrally manages and automates the execution of business processes
end-to-end; across mainframe, cloud and hybrid environments in a way that never
stops—even when doing an upgrade to the next version."
Source: https://www.ca.com/us/products/workload-automation-solution.html
Business recommendation:
------------------------
Be aware that restrictions on privileges can be bypassed and that attackers may
be able to take over other users' accounts. SEC Consult recommends to apply the
vendor patch as soon as possible.
Vulnerability overview/description:
-----------------------------------
The Automation Engine Web Interface, short AWI, is susceptible to a
persistent cross-site scripting attack (XSS). The origin of this vulnerability
is in an outdated version of the Vaadin framework (version 7.7.9), which is
heavily used in the implementation of the UI. This version of the Vaadin
framework is vulnerable to an XSS vulnerability in tooltips [1]. If attackers
can control the content of tooltips created with the framework, they can execute
arbitrary JavaScript code in the context of the user viewing the tooltip. AWI
uses tooltips for various data-fields, e.g. for the title of objects created.
Thus, if a user has the privilege to create or edit objects, they can inject
JavaScript code, which will get executed by other users if they move their
cursor over the text containing the tooltip.
[1] https://github.com/vaadin/framework/issues/8731
Proof of concept:
-----------------
The vulnerability can be reproduced by creating/editing any object in AWI and
using a normal JavaScript payload, e.g. with an onerror handler.
Because tooltips are only shown in AWI when the text length exceeds the column
width, the text needs to be padded with some sample-text to make sure the
JavaScript code gets executed.
Vulnerable / tested versions:
-----------------------------
The tested version of AWI was 12.2.0.
Vendor contact timeline:
------------------------
2018-10-18: SEC Consult contacts vendor through vuln@...com via encrypted email.
2018-10-25: Vendor confirms the receipt of the vulnerability information.
2018-11-22: Vendor confirms the vulnerability and asks for postponement of
advisory release date.
2018-12-11: Vendor provides planned patch numbers.
2018-01-17: Vendor informs SEC Consult that patches have been published.
2019-01-18: CA Technologies and SEC Consult define January 24th 2019 as release
date for SEC Consult advisory and CA Technologies Security Notice.
2019-01-24: Public release of security advisory
Solution:
---------
The vendor provides patched versions:
Automic.Web.Interface 12.0.6 HF2
Automic.Web.Interface 12.1.3 HF3
Automic.Web.Interface 12.2.1 HF1
Available from: https://downloads.automic.com/
The vendor released a security advisory which is available here:
https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190124-01-security-notice-for-ca-automic-workload-automation.html
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Marc Nimmerrichter / @2019
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3995 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists