Security Advisories

December 12, 2012 – Insecure default settings in Reporter

Security Advisories ID:    SA71
Version:    1.0
Status:    Published
Published date:    12/12/2012
 

Advisory Status

Final

Advisory Severity

High - CVSS v2 base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVE Number

No CVE has been assigned at this time.

Summary

By default, logging in to Reporter is performed over HTTP, allowing an attacker to gain access to the Administrator’s credentials and all session data. Disconnected login is also enabled by default thereby storing the Administrator’s LDAP password on Reporter.

Affected Products

All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.

Details

Reporter does not default secure when installed with the default configuration values. 
 
By default, administrative connections go over a clear text channel (HTTP) allowing an attacker with access to the network to view, replay, and modify all login and session data. 
 
Disconnected login is also enabled by default in 9.x releases. Disconnected login stores the password used by the Administrator locally with minimal obfuscation. An attacker who is able to de-obfuscate the password will thereby be able to log in to Reporter as the Administrator and will be able to log in to the configured LDAP directory.   
 
Reporter 9.3 and later defaults to HTTPS for administrative connections and redirects HTTP connections to HTTPS. Reporter also disables disconnected login by default.

Workarounds

Configure Reporter to support HTTPS for management connections and always connect to Reporter over HTTPS. Disable disconnected login.

Patches

Reporter 9.3 – a fix is available in 9.3.3.2. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/8793.
 
Reporter 9.2 and earlier – please upgrade to a later version.
 
Reporter 8.3 and earlier – please upgrade to a later version.

References

Reporter 9.x Administrators Guide – https://bto.bluecoat.com/doc/10660
 
Reporter 8.x Administrators Guide – https://bto.bluecoat.com/doc/4944 

Advisory History

2012-12-12 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question