Sense of Security – Security Advisory – SOS-15-004
Release Date. | 14-Apr-2015 |
Last Update. | – |
Vendor Notification Date. | 24-Jun-2014 |
Product. | ClickSoftware ClickSchedule Web Application |
Platform. | – |
Affected versions. | – |
Severity Rating. | High |
Impact. | Privilege escalation |
Security bypass | |
Manipulation of data | |
Attack Vector. | Remote with authentication |
Solution Status. | Vendor Patch |
CVE reference. – | SAP Security Notes 2111169 |
Details.
ClickSoftware ClickSchedule is a web application which provides workforce management and scheduling functionality to field engineers and managers. The ClickSchedule application and the backend web service have vertical and horizontal privilege escalation vulnerabilities which allow mobile users to impersonate other users by only knowing their username (without their password). The ClickSchedule web service which is connected with the web application itself has no access control after the initial NTLM authentication exchange. Also it uses the CallerIdentity and ID variables in requests as the user identity instead of the identity in the authenticated session data. This allows users to spoof their identities to manipulate the system logging or access control. Attackers can use these vulnerabilities to impersonate a privileged user to obtain unauthorised access to SAP resources or to manipulate SAP data which requires higher privileges.
Solution.
Install the 8.2 Patch002 Security Enhancement.msi and follow the vendor instructions contained in the security note.
Discovered by.
Fatih Ozavci from Sense of Security Labs.