Security Advisory 2015-01: Vulnerability in OTRS iPhoneHandle interface allows user with valid session privilege escalation

 

September 29, 2015 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

 

PGP Key

  • pub 2048R/9C227C6B 2011-03-21 [expires at: 2016-03-02]
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

 

 

Security Advisory Details

  • ID: OSA-2015-01
  • Date: 2015-09-29
  • Title: Vulnerability in OTRS iPhone Handle interface allows user with valid session privilege escalation
  • Severity: high (Overall CVSS Score: 7)
  • Product: iPhone Handle 4.0.x (OTRS 4) iPhone Handle 1.3.x (OTRS 3.3), iPhone Handle 1.2.x (OTRS 3.2)
  • Fixed in: iPhoneHandle 4.0.2 (OTRS 4), iPhoneHandle 1.3.3 (OTRS 3.3), iPhoneHandle 1.2.2 (OTRS 3.2)
  • FULL CVSS v2 VECTOR: (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
  • CVE: CVE-2015-6579

Vulnerability Description

This Advisory covers a vulnerability discovered in the OTRS iPhoneHandle package, which is the interface between OTRS and the iPhone app. The iPhone handle is only needed if you have users that want to use the iPhone app to connect to OTRS.

 

 

Privilege Escalation

  • Missing security checks allows remote iPhoneHandle connections to escalate privileges for authenticated users.
  • This vulnerability allows an remote attacker to read and modify OTRS core objects via the iPhoneHandle interface, but only if the user has authenticated with a valid agent username and password.

Affected by this vulnerability are all releases of iPhoneHandle 0.9.x, all 1.0.x versions, all 1.1.x versions, all 1.2.x versions up to and including 1.2.1, all 1.3.x versions up to and including 1.3.2, as well as all 4.0.x versions up to and including 4.0.1.

 

Recommended Resolution

This vulnerability is fixed in iPhoneHandle 4.0.2, iPhoneHandle 1.3.3, and iPhoneHandle 1.2.2 and it is recommended to upgrade to one of these versions.

Fixed iPhoneHandle releases can be found at:

As a workaround, deinstall the iPhoneHandle package (as admin via the package manager in admin interface).

Many thanks to Thorsten Eckel (znuny) for discovering and reporting this vulnerability.