In this Section

Security Advisory – ClickSoftware ClickSchedule Multiple Security Vulnerabilities

pdf_symbol

Sense of Security – Security Advisory – SOS-15-004

Release Date. 14-Apr-2015
Last Update.
Vendor Notification Date. 24-Jun-2014
Product. ClickSoftware ClickSchedule Web Application
Platform.
Affected versions.
Severity Rating. High
Impact. Privilege escalation
Security bypass
Manipulation of data
Attack Vector. Remote with authentication
Solution Status. Vendor Patch
CVE reference.             – SAP Security Notes         2111169

Details.

ClickSoftware ClickSchedule is a web application which provides workforce management and scheduling functionality to field engineers and managers. The ClickSchedule application and the backend web service have vertical and horizontal privilege escalation vulnerabilities which allow mobile users to impersonate other users by only knowing their username (without their password). The ClickSchedule web service which is connected with the web application itself has no access control after the initial NTLM authentication exchange. Also it uses the CallerIdentity and ID variables in requests as the user identity instead of the identity in the authenticated session data. This allows users to spoof their identities to manipulate the system logging or access control. Attackers can use these vulnerabilities to impersonate a privileged user to obtain unauthorised access to SAP resources or to manipulate SAP data which requires higher privileges.

 

Solution.

Install the 8.2 Patch002 Security Enhancement.msi and follow the vendor instructions contained in the security note.

 

Discovered by.

Fatih Ozavci from Sense of Security Labs.