Advisory Summary – Verifone VeriCentre
CSS 12-11 – Web Console SQL Injection Vulnerability
November 2, 2012
VeriCentre is the next-generation estate management system that significantly reduces costs, improves customer service, and provides new revenue opportunities. It delivers unprecedented productivity and flexibility with an array of capabilities and automation for any size installed base or multi-application environment. And since it works with all Vx Solutions payment devices, VeriCentre can be deployed across all vertical markets around the globe. (Source: http://www.verifone.com/estate-management/vericentre.aspx)
A function in the VeriCentre web application is vulnerable to SQL Injection. Input to the affected function can be provided that manipulates the SQL query issued to the application database. By constructing the appropriate input, the attacker can issue any commands against the database.
Vulnerability ID: CVE-2012-4951
High Risk – CVSS 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Bypass web application control
This issue is in a publicly accessible function on the web site that could be exploited by any individual (or automated worm) via the intranet, although the vulnerable functions are not directly referenced from the main web page. Authentication is required in order to identify this vulnerability. The presence of telltale error messages greatly increases the likelihood that this issue would be identified and exploited.
Identifying Vulnerable Installations
Administrators can identify the vulnerability by issuing the following request to the web application. The TerminalId, ModelName, and ApplicationName parameters are all susceptible to injection.
The VeriCentre web application provides no indication when this vulnerability is exploited other than possibly the web logs. If other controls are in place such as network traffic monitors, IDS/IPS, or web filters, these should be configured to alert on payloads containing attack patterns.
This vulnerability affects all VeriCentre Web Consoles prior to version 2.2 build 36.
The vendor has released updated code and all customers are encouraged to update as soon as possible to Web Console 2.2 build 36 or higher.
- 2012-04-05 – Vulnerability identified.
- 2012-09-14 – CERT notified.
- 2012-11-01 – Vendor released security patch at approximately this date.
CISO Global Advisory Contact: Cory Eubanks
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing and is subject to change without notice. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. The author is not liable for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.