Collaboration Compliance And Quality Management Platform 9.1.1.5482 Disclosure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Advisory ID: SYSS-2018-023  
Product: Collaboration Compliance and Quality Management Platform  
Manufacturer: Verint Verba  
Affected Version(s): <= 9.1.1.5482  
Tested Version(s): 9.1.1.5482  
Vulnerability Type: Improper Access Control (CWE-284)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2018-08-29  
Solution Date: 2018-08-31  
Public Disclosure: 2018-10-02  
CVE Reference: CVE-2018-17871  
Author of Advisory: Tobias Huppertz, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Collaboration Compliance and Quality Management Platform is a product  
to record and play calls with VoIP-telephons including Skype, messages  
and video. The permission management works with different roles and  
groups. So member can just play their own calls and investigators can  
also play calls of other users.  
  
The manufacturer describes the product as follows (see [1]):  
  
"Verint Essential Workforce Optimization offers advanced automation to  
get the most from your workforce. Our software and services can  
enhance the efficiency of your employees and processes, and enable you  
to share workforce intelligence in real-time across your  
business. Mid-market contact centers, back-office operations, branch  
operations and financial trading rooms can rely on Verint Essential  
Workforce Optimization to capture and store interactions, heighten  
quality, ensure compliance and help manage the availability and  
performance of employees in targeted areas of their businesses."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
At the page "Change Configuration Settings" the user can see the  
configuration. Passwords are obfuscated by dot operator, but the  
server delivers passwords in plaintext. By editing the html source  
code in the browser the password fields can be modified to edit fields  
and the passwords gets visible.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
A logged in user can see configured passwords in plaintext. Access the page  
"Change Configuration Settings", start the Developer Tools (Internet Explorer  
11: key F12). Modify the password type from type='password' to type='edit'  
fields and the passwords are visible in plaintext. For example "Key File  
Password" (server certificate) and "Database Password" (SQL Server).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Install the new version, which was published by the vendor [2].  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-08-16: Vulnerability discovered  
2018-08-30: Vulnerability reported to manufacturer  
2018-08-30: Vulnerability confirmed by manufacturer  
2018-08-31: Update released by manufacturer  
2018-10-01: CVE number assigned  
2018-10-02: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Collaboration Compliance and Quality Management Platform  
https://www.verba.com/solutions/compliance-recording-collaboration/#Skype-for-Business  
[2] Verba 9.2 Release Notes (build 9.2.2.5549) - RI-016911  
https://releases.verba.com/?v=9.2  
[3] SySS Security Advisory SYSS-2018-023  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-023.txt  
[4] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Tobias Huppertz of SySS GmbH.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as  
possible. The latest version of this security advisory is available on  
the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAluzWdUACgkQ7b4m5xTq  
WHYCTA//Rl8Js5tfiRLh1kGo3K9iSZG/xYF14cQZdmE8Qe9kfuaZJ0qOZ4xfBYx6  
XBEbZx/2isr9oJoeJAWKWwtRrH+OX4hjXh1SeGTdHLtikz9VD7bCz3bDibbU8NGJ  
SQ3mHsnoAbxJu3xBoM4Rue4h2QHFKZlbJz8LUnS2dkOgzdyEXieuo35lGoED70OX  
7+Z9dmC0B/OOf2WCV7iRj+UMeZKU2jlT3qVa8lnB+OOoShJr5hvIBJPHOX3q45tt  
XA/sdojCvx+tt56z9a2Jup6AykJxcf/OKdLoUFSoZwRsoryamnxyXF7XRaqDqtHE  
vztP71b9HBL2S/nQaZHb1ItHQB3cLKMuj1JEFaCTe4cToiYLZaRfdJl0nPVnSbxY  
TJxXdsjJdumob5zS6JV+25mOtVSRDs5wXNketKqzm65J2Vcx5iQVol2930xiC/IF  
YsaEvpIoha6H27YEETQoTQHeomVov5rm8Pov0K5Pnh1cvbTAhh6WnRAZrtnk8Ev+  
rEXgovggev7E3IQwy5NFe61hbJFG9Cy7rOxK2RCAYvvGnkwsGOG45fzIiXPf1/WN  
LXRIz95WBs+fjhHnRnHsBXdr7z8d9WXC1pk+cdaZBllZJ4VI/qpB6LmMe+5VRq5B  
jr+oIGyGlpTYOMoVN89peB5+Uv5BM2tjEBUOiuYv0VqZeaT+QJU=  
=1M8m  
-----END PGP SIGNATURE-----  
`