Full Report
Polarion ALM is affected by incorrect default path permissions in installation path, and improper authentication in the REST API endpoints of DOORS connector. An attacker could exploit the vulnerabilities for unauthenticated access, or privilege escalation. Siemens has released a new version for Polarion ALM and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Polarion ALM (Path Permissions and DOORS Connector Auth)
## CVE Details
- CVE ID: Not explicitly listed for the two issues combined in the summary, but the advisory covers them. (Note: Only CVE-2024-23813 is explicitly mentioned later, related to the DOORS connector section).
- CVSS Score: 7.8 (CVSS v3.1) / 8.5 (CVSS v4.0)
- CWE: Incorrect Default Permissions, Improper Authentication
## Affected Systems
- Products: Polarion ALM
- Versions: All versions
- Configurations: Systems utilizing the DOORS connector are specifically affected by the authentication flaw.
## Vulnerability Description
Polarion ALM is affected by two primary security flaws:
1. **Incorrect Default Path Permissions:** Vulnerabilities related to default file system permissions in the installation path, potentially leading to privilege escalation.
2. **Improper Authentication in DOORS Connector REST API:** Weaknesses in authentication controls for the REST API endpoints of the DOORS connector, susceptible to unauthenticated access.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the potential outcomes are unauthenticated access or privilege escalation.
- Complexity: Likely Low to Medium, given the nature of default permission flaws and authentication bypasses.
- Attack Vector: Network (for REST API access) and Local (for path permission issues if an attacker has initial access).
## Impact
- Confidentiality: High (due to potential unauthorized access to data via the DOORS connector API).
- Integrity: High (due to potential unauthorized access leading to data modification).
- Availability: Unknown / Medium.
## Remediation
### Patches
- Siemens has released a new version for Polarion ALM. Users are strongly recommended to **update to the latest version** provided by Siemens.
### Workarounds
**For Incorrect Default Path Permissions (System/File Permissions):**
Siemens provides specific `icacls` commands to correct permissions on the installation path, including:
* Removing inheritance: `icacls "" /inheritance:r`
* Applying specific permissions to bundled PostgreSQL: `icacls "\bundled\postgres" /grant "BUILTIN\Users:(OI)(CI)RX"`
* Optional: Granting read access to HTML files: `icacls "\*.html" /grant "BUILTIN\Users:R"`
**For Improper Authentication in DOOR Connectors (CVE-2024-23813):**
Mitigation relies on configuring Apache to restrict access to the connector endpoints:
1. **If DOORS Connectors are NOT used:**
* Add `Require all denied` to the `polarion(-cluster).conf`.
* Enable `mod_headers` in `httpd(-cluster).conf` by ensuring `LoadModule headers_module modules/mod_headers.so` is uncommented.
* Restart Apache Http server.
2. **If DOORS Connectors ARE used:**
* Restrict access based on hostname or client IP address in `polarion(-cluster).conf` (e.g., `Require host ...` or `Require ip ...`).
* Enable `mod_headers` as described above.
* Restart Apache Http server.
## Detection
- **Indicators of Compromise:** Look for unauthorized network traffic targeting specific REST API paths associated with the DOORS connector or unexpected modifications to files within the Polarion installation directory.
- **Detection Methods and Tools:** Review web server (Apache) and system logs for unusual authentication failures or successful requests from unauthorized IP addresses/hostnames targeting API endpoints, especially outside expected application traffic patterns.
## References
- Vendor Advisories: SSA-871717
- Relevant links:
- `https://www.siemens.com/cert/advisories`
- `https://cert-portal.siemens.com/productcert/html/ssa-871717.html` (defanged)