News

i-net Clear Reports Security Advisory 2020-APR-06

Berlin, Apr 06, 2020

This advisory announces a security vulnerability in versions 16.0 - 19.2 of i-net Clear Reports Server that we have found and fixed in versions 16.4, 17.1, 18.1, and 19.2. In addition to releasing each of these versions, we also provide patches (in the form of a plugin upgrade) for the vulnerability for versions 17.0 - 19.2. This means you are able to fix the issue for your current installation of i-net Clear Reports without needing to fully update to the latest version of i-net Clear Reports.

Note: this vulnerability only affects i-net Clear Reports servers from versions 16.0 - 19.2.

Improper Path Traversal

Severity

We rate the severity level of this vulnerability as critical - it is easy to exploit and provides an attacker with the ability to download any file on the server system that the i-net Clear Reports process has access to.

Risk Assessment

This vulnerability affects any running instance of the i-net Clear Reports server which is accessible by an attacker. It allows an attacker to download any file on the system that the i-net Clear Reports server process has access to, without needing to log in. You can read more about this type of attack (classified as CWE-22) here.

Vulnerability

The vulnerability existed in any i-net Clear Reports server from version 16.0 to 19.2. We have fixed this issue for each of the latest of the major versions (16.4, 17.1, 18.1, and 19.2), and are also providing a simple patch for any affected server, versions 17.0 - 19.2. We have registered this vulnerability in the Common Vulnerabilities database as CVE-2020-11431.

Risk Mitigation

If your version of i-net Clear Reports is 17.0 - 19.2, we recommend that you replace your help.zip plugin file to fix this vulnerability. Please see the 'fix' section below for instructions how to do this.

If your version is 16.0 - 16.4, then you will need to update to the latest release of i-net Clear Reports 16.4. Please see the 'fix' section below for instructions how to do this.

If you are not in a position to replace this file or update your installation and you judge it necessary, you can apply the following mitigation, which will disable your i-net Clear Reports online Help system and thereby remove the vulnerability:

  • Disable the plugin “Help”
    • To do this, enter your server’s “Configuration” module
    • Open the category “Plugins”
    • Open up the folder “System”
    • Deactivate the checkbox next to “Help”
    • Click on Save
    • In the box that opens, click “Restart” to restart your service - or alternatively, restart your i-net Clear Reports server manually.

Fix

Please choose one of the options below that best suits your situation.

If you are running i-net Clear Reports 17.0 - 19.2, then a simple replacement of the help.zip plugin file with a patched version will fix this issue immediately.

  1. Download the version of the help.zip file which fits to your product version. See the table below.
    • (Note: To double-check which version of i-net Clear Reports you have, simply visit your i-net Clear Reports start page and look at the light grey text at the bottom right of the page.)
  2. Stop your i-net Clear Reports service.
    • Windows: Press Windows+R and type services.msc, then hit enter. In the Services dialog, find “i-net Clear Reports Server”, right-click, and click on “Stop”.
    • Mac: In your System Preferences, enter the i-net Clear Reports entry and click the on/off button to turn off the service.
    • Linux: In a terminal, run service clear-reports stop
  3. Copy the downloaded help.zip file into your server’s “plugins” directory, replacing the old help.zip file.
    • The default location of the plugins directory is:
      • Windows: C:\Program Files\i-net Clear Reports\plugins
      • Mac: /Applications/i-net Clear Reports.app/Contents/Java/plugins
      • Linux: /usr/share/i-net-clear-reports/plugins
    • Important: Do not rename this old file, rather remove it entirely and/or replace it.
  4. Restart your i-net Clear Reports service.
    • Windows: Press Windows+R and type services.msc, then hit enter. In the Services dialog, find “i-net Clear Reports”, right-click, and click on “Start”.
    • Mac: In your System Preferences, enter the i-net Clear Reports entry and click the on/off button to turn on the service.
    • Linux: In a terminal, run service clear-reports start
i-net Clear Reports Version Download Link of Fixed help.zip File MD5 Hash
i-net Clear Reports 17.0-17.1 https://download.inetsoftware.de/security/clearreports/17/help.zip a794890dbecb9950bf9e975d372bf305
i-net Clear Reports 18.0-18.1 https://download.inetsoftware.de/security/clearreports/18/help.zip e40d417f2303980601530efb4d9300c6
i-net Clear Reports 19.0-19.2 https://download.inetsoftware.de/security/clearreports/19/help.zip 12e2b6ad81698eaeefc31c14db714d4d

Option 2 (required for versions 16.0 - 16.4): Update i-net Clear Reports to the latest version

The latest versions of i-net Clear Reports contain this fix as well as any other less critical bug fixes and improvements that we have added since the release of your current version.

For further information, please see the Release Notes section of our website.

To download the latest release of your i-net Clear Reports version, see the links in the following table:

What We Are Changing

To protect against such vulnerabilities in the future, our development team has spent much time analyzing why this problem occurred and why it was not caught earlier through tests and code reviews. This has led to multiple changes in our development procedures to raise the bar of our software quality even higher.

We have also added automated tests to our test suite which will automatically check for CWE-22 vulnerabilities throughout our products.

Acknowledgment & Thanks

We’d like to give our sincere thanks to the company Secarma for reporting this issue to us in a confidential, professional, and timely manner.

Secarma have let us know that they are planning on a public disclosure of all details of this vulnerability, including the steps to exploit it, around the end of June 2020 - which we fully support. For this reason, it is absolutely vital to fix your systems by this time.

Questions?

If you have any further questions regarding this vulnerability, you can contact us at security@inetsoftware.de and we will get back to you as soon as possible.

We apologize for this issue. Your trust is deeply important to us, so rest assured that we will continue to make sure such issues are extremely rare and that if they occur, they will always be immediately dealt with and communicated to you without delay.

 

© Copyright 1996 - 2020, i-net software; All Rights Reserved.