The user name field of the CUA Module Login does not sanitize user input allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is possible to comment out the password check allowing an attacker to log in with the first available user name in the table. After performing this several times or by searching through the "Accounts" tab within the CUA Module an attacker can gather a list of all users. With this list an attacker can select an administrator account and log in with this by simply entering the user name followed by "--".
Credit:
The information has been provided by Aaron Brown.
Vulnerable Systems:
* CENTERA_GEN_4
* EMCA Centera Universal Access (CUA) version 4.0_4735.p4 (Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735)
Impact:
Attacker can bypass the authentication method and will be logged in as an arbitrary user. With specific knowledge of user names it is possible for an attacker to choose the user he/she wishes to log in as without a password.
How Vulnerability can be reproduced:
For an arbitrary account enter the following in the user field: ' --
For a targeted account enter the following in the user field: valid_user_name' --
Fix:
"The remedy for the reported problems has been released on 30 June 2008 and is available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software Download"."
Vendor URL: http://www.emc.com
Vendor Status:
Vendor was informed of the problem, and was very cooperative in getting a patch developed for the problem. However, contact was broken off by the vendor after the relevant patch was released. The vendor has not yet published an advisory stating the reason for the latest patch or the discovered vulnerability in previous versions. This vulnerability was brought to the attention of the vendor on May 20, 2008 under the policy of responsible disclosure as documented at http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor did not respond to requests to release a public advisory. Therefore we have taken the initiative to alert the public through various security publications.
