Source: cve@mitre.org
Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client.
Business Objects WebIntelligence versions 2.7.0 through 2.7.4 are vulnerable to a critical file deletion vulnerability. This allows authenticated attackers to remotely delete arbitrary files on the server, potentially leading to denial of service or complete system compromise. Organizations using these versions must immediately patch or implement mitigation strategies.
Step 1: Authentication: The attacker must first authenticate to the Business Objects WebIntelligence InfoView web client with valid credentials.
Step 2: Crafting the Request: The attacker crafts a malicious delete request. This request is designed to bypass the client-side access controls and target a specific file on the server.
Step 3: Payload Delivery: The attacker submits the crafted delete request through the InfoView web client, likely using a tool or script to automate the process.
Step 4: Server-Side Execution: The WebIntelligence server receives the malicious request. Due to the lack of server-side validation, the server processes the request and attempts to delete the specified file.
Step 5: File Deletion: The server, lacking proper authorization checks, deletes the file specified in the malicious request. This could be a critical system file, a configuration file, or any file accessible to the WebIntelligence process. This leads to Denial of Service (DoS) or further exploitation.
The vulnerability stems from a flawed implementation of access controls within the InfoView web client. The client-side validation of file deletion requests is not enforced on the server-side. Specifically, the application trusts the client's request to delete files without proper authorization checks. This lack of server-side validation allows a malicious user to craft a specific delete request, bypassing the client-side checks and instructing the server to delete any file accessible to the WebIntelligence process. The root cause is a missing or inadequate authorization check before the file deletion operation is performed on the server. There is no input validation or access control list (ACL) check before the file deletion function is called. This allows an attacker to specify any file path, leading to arbitrary file deletion.
While no specific APTs are definitively linked to this CVE, the ease of exploitation and potential impact make it a target for various threat actors. This vulnerability could be leveraged by attackers for initial access or privilege escalation. CISA KEV: Not Listed
Monitor server logs for suspicious file deletion activity, especially those originating from the WebIntelligence application.
Analyze network traffic for unusual HTTP POST requests to the InfoView web client, specifically those containing file deletion parameters.
Implement file integrity monitoring to detect unauthorized modifications or deletions of critical system files.
Review WebIntelligence application logs for error messages related to file access or deletion attempts.
Use a Security Information and Event Management (SIEM) system to correlate logs and identify suspicious activity patterns.
Upgrade to a patched version of Business Objects WebIntelligence (2.7.5 or later) that addresses the vulnerability.
If upgrading is not immediately possible, implement a Web Application Firewall (WAF) to filter malicious requests targeting the InfoView web client. Configure the WAF to block requests containing file deletion parameters.
Implement strict file access controls on the server, limiting the WebIntelligence application's access to only the necessary files and directories.
Regularly audit user accounts and permissions to ensure least privilege access.
Conduct penetration testing to validate the effectiveness of implemented security controls.
Isolate the WebIntelligence server from other critical systems to limit the impact of a successful exploit.