November 2006

ID: 00819
Ref: 776/2006
Date: 28 November 2006:13:31:24
Version: 1

---

Title: NISCC Vulnerability Advisory: 564575/NISCC/CRYSTALRPRTS
Abstract: Predictable session identifiers in Crystal Reports
Vendors affected: MWR
Operating systems affected: MWR
Applications affected: MWR

---

Title
=====


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NISCC Vulnerability Advisory: 564575/NISCC/CRYSTALRPRTS

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRWw5Uml7oeQsXfKvEQJl+wCggaWlFE5m/7A093N6b+DZ7Zs2EKcAoM6Y
evD8FcxxPBhQbWbGAOOIFQ65
=0MlE
-----END PGP SIGNATURE-----

Detail
======

NISCC Vulnerability Advisory 564575/NISCC/CRYSTALRPRTS

Predictable session identifiers in Crystal Reports

Version Information
-------------------
Advisory Reference 564575/NISCC/CRYSTALRPRTS
Release Date 28/11/06
Last Revision 28 November 2006
Version Number 0.2

Acknowledgement
---------------
We would like to thank the following people at MWR InfoSecurity who passed us
information of their research and this vulnerability.

* L B Jennings
* M Ruks
* H M G Grobbelaar

What is affected?
-----------------
The following products are confirmed to be affected:

- Crystal Enterprise 9
- Crystal Enterprise 10

The following products are NOT affected:

- Business Objects XI
- Business Objects XIr2

Severity
--------
High.

Summary
-------
This vulnerability concerns Crystal Enterprise 9 and 10. The vulnerability is
located in the web front-end portion of the application.

Business Objects is aware of this vulnerability and has produced patches to
address the problem. Please see 'Solution' for details on patches required to
address this flaw.

Please note that the information contained within this advisory is subject to changes. All
subscribers are therefore advised to regularly check the NISCC website
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.

Details
-------
CVE Name CVE-2006-4099
CVE Description "Predictable session identifiers in Crystal Enterprise web front-end"

Crystal Reports uses a cookie to store a session identifier. This identifier is
not random and does not contain enough entropy, so is therefore predictable.

This could allow an attacker to hijack an authenticated session from anywhere
that has access to the Crystal Reports server.

Mitigation
----------
Best practice guidelines should be followed so that only internal, trusted machines
have access to the web front-end. However, patches are available and should be installed.

Solution
--------
A Cumulative Hot Fix was issued on 9th June 2006 which fixes the vulnerability in
Crystal Enterprise 10.

Crystal Reports 9 is an end-of-life product and Business Objects recommend that users
upgrade to version 10. The mitigation section above still applies.

Individual Cumulative Hot Fixes do not have numbers, but all hot fixes released after
the above contain the fix for this vulnerability.

References
----------

MWR InfoSecurity have released their own advisory in addition to this, which is available at:

https://www.mwrinfosecurity.com/news/1632.html

Vendor Information
------------------
Business Objects is a global business intelligence (BI) software company, with more
than 39,000 customers - including over 80 percent of the Fortune 500 - and a network of
more than 3,000 partners and resellers.

For further information about Business Objects, please visit their website
at http://www.businessobjects.com.

Credits
-------

The NISCC Vulnerability Management Team would like to thank MWR InfoSecurity for
reporting this vulnerability.

The NISCC Vulnerability Management Team would also like to thank Business Objects
for their co-operation and assistance in the handling of this vulnerability.

Contact Information
-------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email
address above.

If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.

What is NISCC?
--------------
For further information regarding the UK National Infrastructure Security Co-ordination
Centre, please visit http://www.niscc.gov.uk.

Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within
this advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.

© 2006 Crown Copyright