Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Multiple Vulnerabilities Found in BMC Track-It! Help Desk Software

Track-It!, the IT helpdesk solution developed by business service management software company BMC Software, is plagued by several vulnerabilities, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) warned this week.

Track-It!, the IT helpdesk solution developed by business service management software company BMC Software, is plagued by several vulnerabilities, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) warned this week.

A total of three flaws were identified by Pedro Ribeiro of Agile Information Security in BMC Track-It! version 11.3.0.355.

One of the vulnerabilities has been cataloged as “missing authentication for critical function” and has been assigned the CVE identifier CVE-2014-4872. The flaw can be exploited by a remote unauthenticated attacker to upload and download files, and execute arbitrary code.

“BMC Track-It! exposes several dangerous remote .NET services on port 9010 without authentication. .NET remoting allows a user to invoke methods remotely and retrieve their result. The exposed service FileStorageService allows for arbitrary file upload and code execution. The exposed service ConfigurationService allows for retrieval of configuration files which contain both application and domain credentials,” CERT/CC wrote in its advisory.

The second vulnerability, CVE-2014-4873, can be exploited by an authenticated user for blind SQL injection by entering comparison operators in the POST string for the /TrackItWeb/Grid/GetData page.

The third issue, CVE-2014-4874, is related to permissions, privileges and access control, and it can allow a remote authenticated attacker to download arbitrary files on the /TrackItWeb/Attachment page.

Advertisement. Scroll to continue reading.

CERT/CC is unaware of a practical solution to the problem. Using a firewall to block inbound requests to port 9010 prevents access to the vulnerable methods, but it could interfere with the normal operation of the software, the organization explained.

“BMC takes application security seriously.  We have a dedicated product application security team which monitors incoming alerts sent to our [email protected] alias, as well as all AppSec related issues reported by customers through our support team, via Twitter or directly from Application Security researchers. We work hard to respond to these alerts and repair all CVSS critical or high vulnerabilities found in any of our products,” BMC Software representatives told SecurityWeek.

In this particular case, the company says it’s aware of the vulnerabilities and its AppSec team has been working on addressing them. BMC Software also noted that it has contacted Pedro Ribeiro regarding his findings, and is in contact with all appropriate organizations and users of the product.

“We will issue support alerts to affected customers and relevant organizations,” the company said.

In late September, BMC Software informed customers that it had been investigating and assessing the impact of the GNU Bash vulnerability dubbed “ShellShock” on the company’s products and services.

The list of affected products and services includes ADDM, BMC Remedy OnDemand, CLM Rapid Deployment Stack, BMC Middleware and Transaction Management, BMC Application Management Console, BMC Real End User Experience Hardware collector (1200 series), BMC Real End User Experience Monitoring, BMC TrueSight End User Collector (4200 Series), and BMC TrueSight End User Monitor (all series).

A fix has already been made available for ADDM, and perimeter systems have been updated to minimize exposure from the Web in the case of BMC Remedy OnDemand. As for the other products, patches are expected to become available later this month, the company said. 

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.