Advisory ID: SYSS-2018-023 Product: Collaboration Compliance and Quality Management Platform Manufacturer: Verint Verba Affected Version(s): <= 9.1.1.5482 Tested Version(s): 9.1.1.5482 Vulnerability Type: Improper Access Control (CWE-284) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-08-29 Solution Date: 2018-08-31 Public Disclosure: 2018-10-02 CVE Reference: CVE-2018-17871 Author of Advisory: Tobias Huppertz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Collaboration Compliance and Quality Management Platform is a product to record and play calls with VoIP-telephons including Skype, messages and video. The permission management works with different roles and groups. So member can just play their own calls and investigators can also play calls of other users. The manufacturer describes the product as follows (see [1]): "Verint Essential Workforce Optimization offers advanced automation to get the most from your workforce. Our software and services can enhance the efficiency of your employees and processes, and enable you to share workforce intelligence in real-time across your business. Mid-market contact centers, back-office operations, branch operations and financial trading rooms can rely on Verint Essential Workforce Optimization to capture and store interactions, heighten quality, ensure compliance and help manage the availability and performance of employees in targeted areas of their businesses." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: At the page "Change Configuration Settings" the user can see the configuration. Passwords are obfuscated by dot operator, but the server delivers passwords in plaintext. By editing the html source code in the browser the password fields can be modified to edit fields and the passwords gets visible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A logged in user can see configured passwords in plaintext. Access the page "Change Configuration Settings", start the Developer Tools (Internet Explorer 11: key F12). Modify the password type from type='password' to type='edit' fields and the passwords are visible in plaintext. For example "Key File Password" (server certificate) and "Database Password" (SQL Server). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the new version, which was published by the vendor [2]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-16: Vulnerability discovered 2018-08-30: Vulnerability reported to manufacturer 2018-08-30: Vulnerability confirmed by manufacturer 2018-08-31: Update released by manufacturer 2018-10-01: CVE number assigned 2018-10-02: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Collaboration Compliance and Quality Management Platform https://www.verba.com/solutions/compliance-recording-collaboration/#Skype-for-Business [2] Verba 9.2 Release Notes (build 9.2.2.5549) - RI-016911 https://releases.verba.com/?v=9.2 [3] SySS Security Advisory SYSS-2018-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-023.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Huppertz of SySS GmbH. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en