Document Title
==============
Multiple vulnerabilities in BMC Remedy

Reported By
===========
Simon Rawet from Outpost24
Kristian Varnai from Outpost24

Vendor description
==================
"Remedy Service Management Suite is an enterprise service management
platform built natively for mobile with an intuitive, people-centric
user experience that makes your whole organization more productive."
Source: http://www.bmc.com/it-solutions/remedy-itsm.html

Vulnerability Disclosure Timeline:
==================================
2017-07-14: Vulnerability details sent.
2017-07-14: Vendor: PGP key was rotated.
2017-07-15: Vulnerability details sent with their new PGP key.
2017-07-17: Vendor: Acknowledged received report.
2017-07-21: Vulnerability details sent for newly found vulnerabilities.
2017-07-25: Vendor: Response to first report (2017-07-15), see Vendor
Response section
2017-08-01: Vendor: Acknowledged receiving the second report
2017-08-04: Response to vendor response. 90 days deadline given.
2017-10-04: Request for update.

For any updates visit:
https://outpost24.com/bmc-remedy-vulnerabilities-identified



Remote and Local File Inclusion
===============================
The remedy system exposes the birt report engine, allowing for an
attacker to include arbitrary external or internal files. Due to the
lack of restrictions on what can be targeted, this opens up the system
for many potential attacks, such as system fingerprinting, internal port
scanning, SSRF, or remote code execution.


Internal Path Disclosure
========================
The remedy system exposes the birt report engine, allowing for an
attacker to disclose the internal filepath through its verbose error
message, by including a non-existent file.


Cross-Site Scripting
====================
A reflected cross-site scripting was discovered, affecting both
authenticated and unauthenticated users.


Cross-Site Script Include
=========================
BMC uses dynamically generated javascript to provide environmental
variables for the users, this could be included by a malicious
third-party site, and used to steal the CSRF token.


Log Hijacking
=============
The remote logging of the remedy system can be accessed by
unauthenticated users, allowing for an attacker to hijack the system
logs. This data can include usernames, as well as HTTP data, including
cookies.


Session Token Disclosure
========================
Some HTTP responses include the value of the session token, allowing a
javascript to bypass the httponly flag on the session cookie and steal it.


Authenticated Code Execution
===========================
Authenticated users that have the right to create reports, can use the
birt templating to gain code execution. Access to this functionality
appears to be granted to all users by default.



Vendor Response
===============
Remote and Local File Inclusion: vendor referred to a communities post
and existing CVEs; post claimed that the issue has been fixed in later
versions, however, testing confirms the vulnerability to still be
present; existing CVE misclassifies finding as a plain content
inclusion. We informed them of these issues; no response from vendor.

Internal Path Disclosure: vendor referred to a hotfix on their
communities page; however, this hotfix will not work. We informed them
of these issues; no response from vendor.

Cross-Site Scripting: vendor acknowledged vulnerability and stated plans
of fixing it.

Cross-Site Script Include: vendor acknowledged vulnerability and stated
that they are in the process of following up on it.

Log Hijacking: vendor acknowledged vulnerability and stated that access
to the offending service will be removed in later versions.

Session Token Disclosure: No response from vendor.

Authenticated Code Execution: No response from vendor.

-- 
Simon Rawet
Web Application Analyst
M: +46 708 474 323 | T: +46 455 612 323

Outpost24 - Vulnerability Management made easy
Outpost24 Sweden | Skeppsbrokajen 8 | 371 33, Karlskrona | Sweden