143 lines
No EOL
5.1 KiB
Text
Executable file
143 lines
No EOL
5.1 KiB
Text
Executable file
Advisory: Endeca Latitude Cross-Site Request Forgery
|
||
|
||
RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)
|
||
vulnerability in Endeca Latitude. Using this vulnerability, an attacker
|
||
might be able to change several different settings of the Endeca
|
||
Latitude instance or disable it entirely.
|
||
|
||
|
||
Details
|
||
=======
|
||
|
||
Product: Endeca Latitude
|
||
Affected Versions: 2.2.2, potentially others
|
||
Fixed Versions: N/A
|
||
Vulnerability Type: Cross-Site Request Forgery
|
||
Security Risk: low
|
||
Vendor URL: N/A
|
||
Vendor Status: decided not to fix
|
||
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002
|
||
Advisory Status: published
|
||
CVE: CVE-2014-2399
|
||
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399
|
||
|
||
|
||
Introduction
|
||
============
|
||
|
||
Endeca Latitude is an enterprise data discovery platform for advanced,
|
||
yet intuitive, exploration and analysis of complex and varied data.
|
||
Information is loaded from disparate source systems and stored in a
|
||
faceted data model that dynamically supports changing data. This
|
||
integrated and enriched data is made available for search, discovery,
|
||
and analysis via interactive and configurable applications.
|
||
|
||
(from the vendor's homepage)
|
||
|
||
|
||
More Details
|
||
============
|
||
|
||
Endeca Latitude offers administrators the ability to perform different
|
||
administrative and configuration operations by accessing URLs.
|
||
These URLs are not secured by a randomly generated token and therefore
|
||
are prone to Cross-Site Request Forgery attacks.
|
||
|
||
For example by accessing the URL http://example.com/admin?op=exit an
|
||
administrator can shut down the Endeca Latitude instance. Several other
|
||
URLs exist (as documented at [1] and [2]) which can be used to trigger
|
||
operations such as flushing cashes or changing the logging settings.
|
||
|
||
|
||
Proof of Concept
|
||
================
|
||
|
||
An attacker might prepare a website, which can trigger arbitrary
|
||
functionality (see [1] and [2]) of an Endeca Latitude instance if
|
||
someone opens the attacker's website in a browser that can reach Endeca
|
||
Latitude. An easy way to implement this is to embed a hidden image into
|
||
an arbitrary website which uses the corresponding URL as its source:
|
||
|
||
<img src="http://example.com/admin?op=exit" style="display:hidden" />
|
||
<img src="http://example.com/config?op=log-disable" style="display:hidden" />
|
||
[...]
|
||
|
||
|
||
Workaround
|
||
==========
|
||
|
||
The vendor did not update the vulnerable software, but recommends to
|
||
configure all installations to require mutual authentication using TLS
|
||
certificates for both servers and clients, while discouraging users from
|
||
installing said client certificates in browsers.
|
||
|
||
|
||
Fix
|
||
===
|
||
|
||
Not available. The vendor did not update the vulnerable software to
|
||
remedy this issue.
|
||
|
||
|
||
Security Risk
|
||
=============
|
||
|
||
The vulnerability can enable attackers to be able to interact with an
|
||
Endeca Latitude instance in different ways. Possible attacks include the
|
||
changing of settings as well as denying service by shutting down a
|
||
running instance. Attackers mainly benefit from this vulnerability if
|
||
the instance is not already available to them, but for example only to
|
||
restricted IP addresses or after authentication. Since this makes it
|
||
harder to identify potential target systems and the attack mainly allows
|
||
to disturb the service until it is re-started, the risk of this
|
||
vulnerability is considered to be low.
|
||
|
||
|
||
Timeline
|
||
========
|
||
|
||
2013-10-06 Vulnerability identified
|
||
2013-10-08 Customer approved disclosure to vendor
|
||
2013-10-15 Vendor notified
|
||
2013-10-17 Vendor responded that investigation/fixing is in progress
|
||
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
|
||
CPU
|
||
2014-03-13 Vendor responded with additional information about a
|
||
potential workaround
|
||
2014-04-15 Vendor releases Critical Patch Update Advisory with little
|
||
information on the proposed fix
|
||
2014-04-16 More information requested from vendor
|
||
2014-05-02 Vendor responds with updated information
|
||
2014-06-25 Advisory released
|
||
|
||
|
||
References
|
||
==========
|
||
|
||
[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations
|
||
[2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables
|
||
|
||
|
||
RedTeam Pentesting GmbH
|
||
=======================
|
||
|
||
RedTeam Pentesting offers individual penetration tests, short pentests,
|
||
performed by a team of specialised IT-security experts. Hereby, security
|
||
weaknesses in company networks or products are uncovered and can be
|
||
fixed immediately.
|
||
|
||
As there are only few experts in this field, RedTeam Pentesting wants to
|
||
share its knowledge and enhance the public knowledge with research in
|
||
security related areas. The results are made available as public
|
||
security advisories.
|
||
|
||
More information about RedTeam Pentesting can be found at
|
||
https://www.redteam-pentesting.de.
|
||
|
||
|
||
--
|
||
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||
52068 Aachen https://www.redteam-pentesting.de
|
||
Germany Registergericht: Aachen HRB 14004
|
||
Gesch<EFBFBD>ftsf<EFBFBD>hrer: Patrick Hof, Jens Liebchen |