Security Advisory 2015-01: Vulnerability in OTRS iPhoneHandle interface allows user with valid session privilege escalation
September 29, 2015 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: firstname.lastname@example.org
Security Advisory Details
- ID: OSA-2015-01
- Date: 2015-09-29
- Title: Vulnerability in OTRS iPhone Handle interface allows user with valid session privilege escalation
- Severity: high (Overall CVSS Score: 7)
- Product: iPhone Handle 4.0.x (OTRS 4) iPhone Handle 1.3.x (OTRS 3.3), iPhone Handle 1.2.x (OTRS 3.2)
- Fixed in: iPhoneHandle 4.0.2 (OTRS 4), iPhoneHandle 1.3.3 (OTRS 3.3), iPhoneHandle 1.2.2 (OTRS 3.2)
- FULL CVSS v2 VECTOR: (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
- CVE: CVE-2015-6579
This Advisory covers a vulnerability discovered in the OTRS iPhoneHandle package, which is the interface between OTRS and the iPhone app. The iPhone handle is only needed if you have users that want to use the iPhone app to connect to OTRS.
- Missing security checks allows remote iPhoneHandle connections to escalate privileges for authenticated users.
- This vulnerability allows an remote attacker to read and modify OTRS core objects via the iPhoneHandle interface, but only if the user has authenticated with a valid agent username and password.
Affected by this vulnerability are all releases of iPhoneHandle 0.9.x, all 1.0.x versions, all 1.1.x versions, all 1.2.x versions up to and including 1.2.1, all 1.3.x versions up to and including 1.3.2, as well as all 4.0.x versions up to and including 4.0.1.
This vulnerability is fixed in iPhoneHandle 4.0.2, iPhoneHandle 1.3.3, and iPhoneHandle 1.2.2 and it is recommended to upgrade to one of these versions.
Fixed iPhoneHandle releases can be found at:
As a workaround, deinstall the iPhoneHandle package (as admin via the package manager in admin interface).
Many thanks to Thorsten Eckel (znuny) for discovering and reporting this vulnerability.