Home Cyber Crime Remote code execution vulnerability patched in Micro Focus Operations Bridge Reporter

Remote code execution vulnerability patched in Micro Focus Operations Bridge Reporter


Fixes have been issued for weak servers

A remote code execution vulnerability has been patched in Micro Focus Operations Bridge Reporter

A number of vulnerabilities together with a remote code execution (RCE) flaw in Micro Focus Operations Bridge Reporter have been patched.

Operations Bridge Reporter (OBR) is an enterprise-grade answer based mostly on Vertica and Huge Information database analytics, in addition to SAP BusinessObjects, Postgres, and different enterprise software program. OBR facilitates knowledge assortment and aggregation on servers.

In a safety advisory on March 2, Agile Data Safety researcher Pedro Ribeiro disclosed a number of crucial safety points within the software program.

“OBR requires quite a lot of community ports to be opened in an effort to talk with different hosts as it may be seen of their set up documentation,” Ribeiro famous. “This offers it an enormous externally-facing attack floor.”

Read more of the latest security vulnerability news

OBR is offered for each Home windows and Linux machines. In complete, 5 Linux-based command injection bugs impacting login capabilities have been discovered, all of which will be triggered by unauthenticated attackers. The vulnerabilities are tracked underneath CVE-2021-22502 and may result in RCE as root.

The AdminService net utility accommodates an SQL injection situation, and whereas a CVE is but to be assigned, the vulnerability is taken into account crucial. Nevertheless, authentication is required to take advantage of the bug.

A number of vulnerabilities

As well as, Ribeiro uncovered the usage of hard-coded credentials in OBR on Linux. Tracked as CVE-2020-11857, this safety flaw was discovered within the hardcoded credentials for the consumer on the time SAP BO is put in. The consumer has full login permissions.

An uncovered, unauthenticated JMX endpoint additionally existed, resulting in RCE in each Home windows and Linux. This vulnerability has been assigned as CVE-2020-11856.

Lastly, there have been incorrect default file permissions in each Home windows and Linux builds, tracked as CVE-2020-11855, which might be exploited in privilege escalation assaults – to SYSTEM on Home windows, and root in Linux.

The vulnerabilities impression OBR model 10.40, and it’s suspected earlier variations are additionally affected.

‘Catastrophic’ answer

Whereas Micro Focus’ answer could also be helpful for knowledge analytics, by way of safety, Ribeiro labeled the answer as a “disaster”.

“[OBR is] a product with an enormous assault floor, with terribly insecure defaults and horrible safety errors,” the researcher added. “

The vulnerabilities described on this advisory are hilarious, and belong in textbooks, not in enterprise security software program.”

Ribeiro beforehand printed a separate discover regarding a number of RCE vulnerabilities in Micro Focus Operations Bridge Supervisor (OBM) in 2020.

“This newest one doesn’t have as many vulnerabilities, however in a method it’s far worse because the vulnerabilities are trivial,” Ribeiro informed The Day by day Swig.

“Unauthenticated RCE by way of direct command injection at login feels like one thing one would discover in a CTF, but right here it’s in an enterprise product created by a multi-billion product firm.”

READ Vulnerabilities in Smarty PHP template engine renders popular CMS platforms open to abuse

Micro Focus has since printed advisories informing prospects of the safety flaws and advises upgrading to the newest construct of the software program. The corporate has thanked the researcher for his report.

“It has come to our consideration {that a} report has been written about doable safety vulnerabilities in Micro Focus Operations Bridge Reporter (OBR) when the answer’s post-installation hardening steps usually are not accomplished,” a spokesperson for Micro Focus informed The Day by day Swig.

“Recognized safety vulnerabilities have been addressed in February and in our newest OBR 10.50 launch (December 2020). The R&D group is analyzing the complete report to find out if additional motion is required.”

YOU MAY ALSO LIKE VMware fixes vCenter RCE bug – 6,000-plus servers potentially at risk as attackers probe systems

Source link