The purpose of this advisory is to inform you of recently discovered security vulnerabilities in Track-It! and how to address them.
Please note that for an attacker to take advantage of any of these issues, the attacker must have direct access to the Track-It! application server. If the application server is not exposed to the internet, an attacker would first have to gain access inside your internal network in order to exploit them. However, even if your Track-It! system is not exposed outside your firewall, we still recommend you take the necessary steps to secure the application as soon as possible.
Update to Track-It! 11.4
Due to the nature and complexity of some of the issues, a full version update is required to address all of them. The vulnerabilities in this bulletin are addressed in Track-It! version 11.4, which is now available on the Track-It! support site here. Upgrading to 11.4 is the only way to address all of the discovered vulnerabilities.
Short term remediation
If for some reason you cannot immediately update to Track-It! 11.4, it is recommended to block all communications from untrusted networks (e.g. the Internet) at the firewall, specifically to TCP/UDP ports 9010 to 9020 and to the Track-It! Web webserver. Blocking the above mentioned ports/site to secure the server will also block the use of the Self Service feature and Track-It! Technician Web from external networks. In other words, the Track-It! system will continue to function only within the Intranet network.
Due to the nature of issues 1, 2 and 6 below, we were able to produce individual hotfixes for Track-It! version 11.3. Since these hotfixes do not resolve all the identified issues, we strongly recommend upgrading your Track-It! system to the 11.4 version that includes fixes for all of the identified vulnerabilities.
For more information on each of the items addressed, see the Knowledge Articles listed below.
- 1. Article ID TIA07453 - Arbitrary file download – Attackers can download files from the underlying server operating system remotely through the product.
- 2. Article ID TIA07454 - Blind SQL injection – Insufficient input validation can allow attackers to inject SQL code and gain control of the underlying database engine.
- 3. Article ID TIA07455 - Hardcoded DB credentials - This issue is limited to demo install only.
- 4. Article ID TIA07456 - Credential disclosure - Domain administrator & SQL server user credentials.
- 5. Article ID TIA07457 - Code execution – Remote code upload and execution via file upload.
- 6. Article ID TIA07508 – Password Reset – Reset passwords of accounts with just the user ID.
If you have any questions regarding this security notification, please contact Track-It! Support by opening a case at: BMC Track-It! Support