Endeca Latitude 2.2.2 - CSRF Vulnerability

Bài liên quan

Advisory: Endeca Latitude Cross-Site Request Forgery

 

RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)

vulnerability in Endeca Latitude. Using this vulnerability, an attacker

might be able to change several different settings of the Endeca

Latitude instance or disable it entirely.

 

 

Details

=======

 

Product: Endeca Latitude

Affected Versions: 2.2.2, potentially others

Fixed Versions: N/A

Vulnerability Type: Cross-Site Request Forgery

Security Risk: low

Vendor URL: N/A

Vendor Status: decided not to fix

Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002

Advisory Status: published

CVE:  CVE-2014-2399

CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399

 

 

Introduction

============

 

Endeca Latitude is an enterprise data discovery platform for advanced,

yet intuitive, exploration and analysis of complex and varied data.

Information is loaded from disparate source systems and stored in a

faceted data model that dynamically supports changing data. This

integrated and enriched data is made available for search, discovery,

and analysis via interactive and configurable applications.

 

(from the vendor's homepage)

 

 

More Details

============

 

Endeca Latitude offers administrators the ability to perform different

administrative and configuration operations by accessing URLs.

These URLs are not secured by a randomly generated token and therefore

are prone to Cross-Site Request Forgery attacks.

 

For example by accessing the URL http://example.com/admin?op=exit an

administrator can shut down the Endeca Latitude instance. Several other

URLs exist (as documented at [1] and [2]) which can be used to trigger

operations such as flushing cashes or changing the logging settings.

 

 

Proof of Concept

================

 

An attacker might prepare a website, which can trigger arbitrary

functionality (see [1] and [2]) of an Endeca Latitude instance if

someone opens the attacker's website in a browser that can reach Endeca

Latitude.  An easy way to implement this is to embed a hidden image into

an arbitrary website which uses the corresponding URL as its source:

 

<img src="http://example.com/admin?op=exit" style="display:hidden" />

<img src="http://example.com/config?op=log-disable" style="display:hidden" />

[...]

 

 

Workaround

==========

 

The vendor did not update the vulnerable software, but recommends to

configure all installations to require mutual authentication using TLS

certificates for both servers and clients, while discouraging users from

installing said client certificates in browsers.

 

 

Fix

===

 

Not available. The vendor did not update the vulnerable software to

remedy this issue.

 

 

Security Risk

=============

 

The vulnerability can enable attackers to be able to interact with an

Endeca Latitude instance in different ways. Possible attacks include the

changing of settings as well as denying service by shutting down a

running instance. Attackers mainly benefit from this vulnerability if

the instance is not already available to them, but for example only to

restricted IP addresses or after authentication. Since this makes it

harder to identify potential target systems and the attack mainly allows

to disturb the service until it is re-started, the risk of this

vulnerability is considered to be low.

 

 

Timeline

========

 

2013-10-06 Vulnerability identified

2013-10-08 Customer approved disclosure to vendor

2013-10-15 Vendor notified

2013-10-17 Vendor responded that investigation/fixing is in progress

2014-02-24 Vendor responded that bug is fixed and scheduled for a future

           CPU

2014-03-13 Vendor responded with additional information about a

           potential workaround

2014-04-15 Vendor releases Critical Patch Update Advisory with little

           information on the proposed fix

2014-04-16 More information requested from vendor

2014-05-02 Vendor responds with updated information

2014-06-25 Advisory released

 

 

References

==========

 

[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations

[2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables

 

 

RedTeam Pentesting GmbH

=======================

 

RedTeam Pentesting offers individual penetration tests, short pentests,

performed by a team of specialised IT-security experts. Hereby, security

weaknesses in company networks or products are uncovered and can be

fixed immediately.

 

As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security related areas. The results are made available as public

security advisories.

 

More information about RedTeam Pentesting can be found at

https://www.redteam-pentesting.de.

 

 

--

RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0

Dennewartstr. 25-27                       Fax : +49 241 510081-99

52068 Aachen                    https://www.redteam-pentesting.de

Germany                         Registergericht: Aachen HRB 14004

Geschäftsführer:                       Patrick Hof, Jens Liebchen