Document Title ============== Multiple vulnerabilities in BMC Remedy Reported By =========== Simon Rawet from Outpost24 Kristian Varnai from Outpost24 Vendor description ================== "Remedy Service Management Suite is an enterprise service management platform built natively for mobile with an intuitive, people-centric user experience that makes your whole organization more productive." Source: http://www.bmc.com/it-solutions/remedy-itsm.html Vulnerability Disclosure Timeline: ================================== 2017-07-14: Vulnerability details sent. 2017-07-14: Vendor: PGP key was rotated. 2017-07-15: Vulnerability details sent with their new PGP key. 2017-07-17: Vendor: Acknowledged received report. 2017-07-21: Vulnerability details sent for newly found vulnerabilities. 2017-07-25: Vendor: Response to first report (2017-07-15), see Vendor Response section 2017-08-01: Vendor: Acknowledged receiving the second report 2017-08-04: Response to vendor response. 90 days deadline given. 2017-10-04: Request for update. For any updates visit: https://outpost24.com/bmc-remedy-vulnerabilities-identified Remote and Local File Inclusion =============================== The remedy system exposes the birt report engine, allowing for an attacker to include arbitrary external or internal files. Due to the lack of restrictions on what can be targeted, this opens up the system for many potential attacks, such as system fingerprinting, internal port scanning, SSRF, or remote code execution. Internal Path Disclosure ======================== The remedy system exposes the birt report engine, allowing for an attacker to disclose the internal filepath through its verbose error message, by including a non-existent file. Cross-Site Scripting ==================== A reflected cross-site scripting was discovered, affecting both authenticated and unauthenticated users. Cross-Site Script Include ========================= BMC uses dynamically generated javascript to provide environmental variables for the users, this could be included by a malicious third-party site, and used to steal the CSRF token. Log Hijacking ============= The remote logging of the remedy system can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include usernames, as well as HTTP data, including cookies. Session Token Disclosure ======================== Some HTTP responses include the value of the session token, allowing a javascript to bypass the httponly flag on the session cookie and steal it. Authenticated Code Execution =========================== Authenticated users that have the right to create reports, can use the birt templating to gain code execution. Access to this functionality appears to be granted to all users by default. Vendor Response =============== Remote and Local File Inclusion: vendor referred to a communities post and existing CVEs; post claimed that the issue has been fixed in later versions, however, testing confirms the vulnerability to still be present; existing CVE misclassifies finding as a plain content inclusion. We informed them of these issues; no response from vendor. Internal Path Disclosure: vendor referred to a hotfix on their communities page; however, this hotfix will not work. We informed them of these issues; no response from vendor. Cross-Site Scripting: vendor acknowledged vulnerability and stated plans of fixing it. Cross-Site Script Include: vendor acknowledged vulnerability and stated that they are in the process of following up on it. Log Hijacking: vendor acknowledged vulnerability and stated that access to the offending service will be removed in later versions. Session Token Disclosure: No response from vendor. Authenticated Code Execution: No response from vendor. -- Simon Rawet Web Application Analyst M: +46 708 474 323 | T: +46 455 612 323 Outpost24 - Vulnerability Management made easy Outpost24 Sweden | Skeppsbrokajen 8 | 371 33, Karlskrona | Sweden