Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Multiple Vulnerabilities Found in BMC Track-It! Help Desk Software

Track-It!, the IT helpdesk solution developed by business service management software company BMC Software, is plagued by several vulnerabilities, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) warned this week.

Track-It!, the IT helpdesk solution developed by business service management software company BMC Software, is plagued by several vulnerabilities, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) warned this week.

A total of three flaws were identified by Pedro Ribeiro of Agile Information Security in BMC Track-It! version 11.3.0.355.

One of the vulnerabilities has been cataloged as “missing authentication for critical function” and has been assigned the CVE identifier CVE-2014-4872. The flaw can be exploited by a remote unauthenticated attacker to upload and download files, and execute arbitrary code.

“BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result. The exposed service FileStorageService allows for arbitrary file upload and code execution. The exposed service ConfigurationService allows for retrieval of configuration files which contain both application and domain credentials,” CERT/CC wrote in its advisory.

The second vulnerability, CVE-2014-4873, can be exploited by an authenticated user for blind SQL injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page.

The third issue, CVE-2014-4874, is related to permissions, privileges and access control, and it can allow a remote authenticated attacker to download arbitrary files on the /TrackItWeb/Attachment page.

CERT/CC is unaware of a practical solution to the problem. Using a firewall to block inbound requests to port 9010 prevents access to the vulnerable methods, but it could interfere with the normal operation of the software, the organization explained.

“BMC takes application security seriously.  We have a dedicated product application security team which monitors incoming alerts sent to our [email protected] alias, as well as all AppSec related issues reported by customers through our support team, via Twitter or directly from Application Security researchers. We work hard to respond to these alerts and repair all CVSS critical or high vulnerabilities found in any of our products,” BMC Software representatives told SecurityWeek.

In this particular case, the company says it’s aware of the vulnerabilities and its AppSec team has been working on addressing them. BMC Software also noted that it has contacted Pedro Ribeiro regarding his findings, and is in contact with all appropriate organizations and users of the product.

“We will issue support alerts to affected customers and relevant organizations,” the company said.

In late September, BMC Software informed customers that it had been investigating and assessing the impact of the GNU Bash vulnerability dubbed “ShellShock” on the company’s products and services.

The list of affected products and services includes ADDM, BMC Remedy OnDemand, CLM Rapid Deployment Stack, BMC Middleware and Transaction Management, BMC Application Management Console, BMC Real End User Experience Hardware collector (1200 series), BMC Real End User Experience Monitoring, BMC TrueSight End User Collector (4200 Series), and BMC TrueSight End User Monitor (all series).

A fix has already been made available for ADDM, and perimeter systems have been updated to minimize exposure from the Web in the case of BMC Remedy OnDemand. As for the other products, patches are expected to become available later this month, the company said. 

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.