Security Advisory 2008-01 – Vulnerability in OTRS SOAP interface allows remote access without valid SOAP user

March 31, 2008 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Report a Vulnerability:

security@otrs.org

Security Advisory Details

  • Date: Mar 31, 2008
  • Title: Vulnerability in OTRS SOAP interface allows remote access without valid SOAP user
  • Severity: Critical
  • Affected
    OTRS Help Desk 2.2.x
    OTRS Help Desk 2.1.x
  • Fixed in:
    OTRS Help Desk 2.2.6
    OTRS Help Desk 2.1.8
  • Not affected:
    OTRS Help Desk 2.0.x
    OTRS Help Desk 1.x.x
  • Common Vulnerabilities and Exposures: CVE-2008-1515

Vulnerability Description

This Advisory covers one vulnerability in the OTRS SOAP interface. SOAP authentications allows to get remote access without valid SOAP user Missing security checks allows remote SOAP connections to get access to OTRS without valid SOAP user. This vulnerability allows an remote attacker to read and modify objects via the OTRS SOAP interface. Affected by this vulnerability are all releases of OTRS 2.1.0 up to and including 2.2.5.

Recommended Resolution

This vulnerability is fixed in OTRS 2.1.8 and OTRS 2.2.6, and it is recommended to upgrade to one of these versions.

Fixed OTRS releases can be found at: https://community.otrs.com/category/release-notes-help-desk-2/

Here are detailed informations about the required changes:

Workaround

Next to upgrading to the mentioned fixed releases, a workaround is to replace the following files with a fixed version:

As a workaround you can remove the file bin/cgi-bin/rpc.pl or update bin/cgi-bin/rpc.pl from cvs to version 1.6 (http://cvs.otrs.org/viewvc.cgi/otrs/bin/cgi-bin/rpc.pl).

However, to avoid unwanted side effects, we recommend a complete update.