Fixes have been issued for vulnerable servers
Multiple vulnerabilities including a remote code execution (RCE) flaw in Micro Focus Operations Bridge Reporter have been patched.
Operations Bridge Reporter (OBR) is an enterprise-grade product based on Vertica and Big Data database analytics, as well as SAP BusinessObjects (BO), Postgres, and other enterprise software. OBR facilitates data collection and aggregation on servers.
In a security advisory published on March 2, Agile Information Security researcher Pedro Ribeiro disclosed multiple critical security issues in the software.
“OBR requires a lot of network ports to be opened in order to communicate with other hosts as it can be seen in their installation documentation,” Ribeiro noted. “This gives it a huge externally-facing attack surface.”
OBR is available for both Windows and Linux machines. In total, five Linux-based command injection bugs impacting login functions were found, all of which can be triggered by unauthenticated attackers. The vulnerabilities are tracked under CVE-2021-22502 and can lead to RCE as root.
The AdminService web application contains an SQL injection issue, and while a CVE is yet to be assigned, the vulnerability is considered critical. However, authentication is required in order to exploit the bug.
In addition, Ribeiro uncovered the use of hard-coded credentials in OBR on Linux. Tracked as CVE-2020-11857, this security flaw was found in the hardcoded credentials for the shrboadmin user at the time SAP BO is installed. The user has full login permissions.
An exposed, unauthenticated JMX endpoint also existed, leading to RCE in both Windows and Linux. This vulnerability has been assigned as CVE-2020-11856.
Finally, there were incorrect default file permissions in both Windows and Linux builds, tracked as CVE-2020-11855, which could be exploited in privilege escalation attacks – to SYSTEM on Windows, and root in Linux.
The vulnerabilities impact OBR version 10.40, and it is suspected earlier versions are also affected.
While Micro Focus’ solution may be useful for data analytics, in terms of security, Ribeiro labeled the technology as a “catastrophe”.
“[OBR is] a product with a huge attack surface, with terribly insecure defaults and horrible security mistakes,” the researcher added.
The vulnerabilities described in this advisory are hilarious, and belong in textbooks, not in enterprise security software.”
Ribeiro previously published a separate notice concerning multiple RCE vulnerabilities in Micro Focus Operations Bridge Manager (OBM) in 2020.
“This latest one doesn’t have as many vulnerabilities, but in a way it’s far worse since the vulnerabilities are trivial,” Ribeiro told The Daily Swig.
“Unauthenticated RCE via direct command injection at login sounds like something one would find in a CTF, yet here it is in an enterprise product created by a multi-billion product company.”
Micro Focus has since published advisories informing customers of the security flaws and advises upgrading to the latest build of the software. The company has thanked the researcher for his report.
“It has come to our attention that a report has been written about possible security vulnerabilities in Micro Focus Operations Bridge Reporter (OBR) when the solution’s post-installation hardening steps are not completed,” a spokesperson for Micro Focus told The Daily Swig.
“Known security vulnerabilities were addressed in February and in our latest OBR 10.50 release (December 2020). The R&D team is analyzing the entire report to determine if further action is required.”