{"id":16555,"date":"2021-07-07T12:42:48","date_gmt":"2021-07-07T10:42:48","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0016\/"},"modified":"2021-07-19T14:08:10","modified_gmt":"2021-07-19T12:08:10","slug":"usd-2018-0016","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0016\/","title":{"rendered":"usd-2018-0016"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0016 | Lexware Professional 2017\/17.02<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2018-0016<\/span><br \/><strong>CVE Number<\/strong><span>: N\/A<\/span><br \/><strong>Affected Product<\/strong><span>: Lexware Professional 2017<\/span><br \/><strong>Affected Version<\/strong><span>: 17.02<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Denial of Service<\/span><br \/><strong>Security Risk<\/strong><span>: High<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/shop.lexware.de\/reisekosten-abrechnung\" target=\"_blank\" rel=\"noopener\">https:\/\/shop.lexware.de\/reisekosten-abrechnung<\/a><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.<\/p>\n<p>Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server.<br \/>Denial-of-service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.<\/p>\n<p>As stressed in the advisories <a href=\"\/security-advisories\/usd-2018-0013\/\">usd-2018-0013<\/a>, <a href=\"\/security-advisories\/usd-2018-0014\/\">usd-2018-0014<\/a> and <a href=\"\/security-advisories\/usd-2018-0015\/\">usd-2018-0015<\/a> the lack of ability to change the default database connection credentials within the application client, indicates that any changes to the encrypted password effectively prevents clients from successfully connecting to the database and thus providing an efficient DoS.<\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept<\/h3>\n<p><span>A sample screenshot is provided to enhance the ease of understanding.<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/lexware_dos_screenshot.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"lexware_dos_screenshot\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>The default database credentials should be removed from the application.<\/span><\/p>\n<h3><\/h3>\n<h3><\/h3>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities were found by Sebastian Puttkammer of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0016 | Lexware Professional 2017\/17.02 Advisory ID: usd-2018-0016CVE Number: N\/AAffected Product: Lexware Professional 2017Affected Version: 17.02Vulnerability Type: Denial of ServiceSecurity Risk: HighVendor URL: https:\/\/shop.lexware.de\/reisekosten-abrechnungVendor Status: Fixed Description The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16555","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16555"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16555\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}