Today, Talos is disclosing several vulnerabilities that have been identified by Portcullis in various software products. All four vulnerabilities have been responsibly disclosed to each respective developer in order ensure they are addressed. In order better protect our customers, Talos has also developed Snort rules that detect attempts to exploit these vulnerabilities.

Vulnerability Details

TALOS-2017-0313 (CVE-2016-9048) ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities TALOS-2017-0313 was identified by Jerzy Kramarz of Portcullis.

TALOS-2017-0313 encompasses multiple SQL injection vulnerabilities in ProcessMarker Enterprise Core 3.0.1.7-community. These vulnerabilities manifest as a result of improperly sanitizing input received in web requests. An attacker who transmits a specifically crafted web request to an affected server with parameters containing SQL injection attacks could trigger this vulnerability. This could allow exfiltration of the database information, user credentials, and in certain configuration access the underlying operating system.

TALOS-2017-0314 (CVE-2016-9045) - ProcessMaker Enterprise Core Code Execution VulnerabilityTALOS-2017-0314 was identified by Jerzy Kramarz of Portcullis.

TALOS-2017-0314 is a remote code execution vulnerability in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization, potentially resulting in arbitrary PHP code execution. Exploitation of this vulnerability could be achieved if an attacker transmits a specifically crafted web parameter to an affected server, triggering this vulnerability.

TALOS-2017-0315 (CVE-2016-9044) - Information Builders WebFOCUS Business Intelligence Portal Command Execution Vulnerability TALOS-2017-0315 was identified by Alfonso Alguacil and Georgios Papakyriakopoulos of Portcullis.

TALOS-2017-0315 is an arbitrary command execution vulnerability in Information Builders WebFOCUS Business Intelligence Portal 8.1. This vulnerability manifests due to improperly sanitizing and handling input received via a web request. TALOS-2017-0315 is exploitable if an attacker transmits a specifically crafted web request to an affected server while logged into the application, triggering this vulnerability. Unauthenticated users are not able to exploit this vulnerability.

TALOS-2017-0316 (CVE-2017-2815) - XML External Entity Injection In Open Fire User Import Export Plugin TALOS-2017-0316 was identified by Jerzy Kramarz, Michail Sarantidis, Rafael Gil Larios, Giovani Cattani, and Anton Garcia of Portcullis.

TALOS-2017-0316 is a XML External Entity injection attack in the OpenFire User Import Export Plugin. TALOS-2017-0316 manifests due to improperly handling unsanitized user input. Exploitation of this vulnerability could allow an attacker to retrieve arbitrary files or create a denial of service condition (by making the server read from a file such as '/dev/random'). Attackers could also reference URLs, potentially allowing port scanning from the XML parser's host, or the retrieve sensitive web content that would otherwise be inaccessible.

Coverage Talos has developed the following Snort rules detect attempts to exploit these vulnerabilities. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules:

To review our Vulnerability Disclosure Policy, please visit this site:

http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html