IT21980: INSUFFICIENT SEPARATION OF PRIVILEGE

APAR status

• Closed as program error.

Error description

• Users of the Filegateway and EBICS Client application are able
  to carry out or access information otherwise restricted to
  them.
  This includes:
  1) SFG admin user can reset other SFG admin or other user's
  password via the filegateway interface. By replacing the userid
  sent in the body of the request while resetting their own
  account, it is possible to reset other user's password.
  Normally, SFG admin has to log into the EBICS dashboard to
  reset the password, but this is done via the Filegateway
  interface. Note, that the attacker needs to know the target
  username and get the current password of the victim correct for
  successful attack. However, as the application has a weak
  password policy, and this request is not protected against CSRF
  attacks, it is possible to bruteforce the target account with
  common weak passwords.
  Please note that it is not clear whether the Filegateway
  interface sends information to the EBICS dashboard on the
  server side. It is not verified whether this attack can be
  carried out by a low privileged user as such an account was not
  facilitated for Filegateway.
  2) A user is able to view event logs accessible to another user
  (non-admin). By manipulating the event log ID number sent as
  part of the URI, it is possible to access other user's event
  logs even when it is not visible to the current user.
  Due to the uncertainties around the full extent of the issues,
  this issue has been given a medium risk rating. However, this
  issue should be treated as a priority and resolved at the
  earliest.
  IMPACT:
  1) The impact of this issue is currently rated as medium as the
  information currently being logged did not contain any sensitive
  information. However, the full extent of this issue is unknown
  as it is not known whether admin level users can access EBICS
  Client and if logs may contain sensitive information. This
  technique could be used to enumerate valid usernames.
  2) The impact of this issue is currently rated as medium as
  initial tests show that the attack does not work on the
  administration panel of EBICS dashboard. However, it is not
  known if this information is used on a separate application,
  outside the scope of this engagement.
  REMEDIATION:
  All administrative functions should be hidden from low
  privilege users
  and should require authentication to perform the actions. Only
  administrators should be able to perform administrative
  functions.
  

Local fix

• No workaround exists.
  

Problem summary

• Users Affected:
  All EBICS Users
  
  Problem Description:
  In the EBICS client one user was able to see the event details
  corresponding to another user.
  
  Platforms Affected:
  All
  

Problem conclusion

• Resolution Summary:
  A code fix is provided.
  
  Delivered In:
  5020603_3
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  STR B2B INTEGRA

• Fixed component ID

  5725D0600

Applicable component levels

• R526 PSY

     UP