Vulnerability Note VU#229047
Allround Automations PL/SQL Developer v11 performs updates over HTTP
Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016

Overview
Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code.

Description
CWE-345: Insufficient Verification of Data Authenticity – CVE-2016-2346
According to the researcher, Allround Automations PL/SQL Developer version 11 periodically checks for updates over HTTP. When an update is available, PL/SQL Developer downloads the update and executes the update without verifying authenticity or performing other checks.

By intercepting such requests and modifying the necessary fields, an attacker with a man-in-the-middle position between the victim and the network may be able write arbitrary data to vulnerable devices and execute arbitrary code with permissions of the PL/SQL Developer user.

Impact
A remote attacker with a man-in-the-middle position may able to execute code with permissions of the PL/SQL Developer user.

Solution
Apply an update

PL/SQL Developer version 11.0.6 has been released to address this issue.

The update utility now uses HTTPS and restricts downloads to the allroundautomations.com domain.

Affected users may also consider the following workaround:
Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a man-in-the-middle attack that could intercept your HTTP data.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedAllround AutomationsAffected15 Mar 201625 Apr 2016If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal
6.4
E:POC/RL:U/RC:UR

Environmental
4.8
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://adamcaudill.com/2016/02/02/plsql-developer-nonexistent-encryption/

Credit

Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2016-2346

Date Public:
29 Apr 2016

Date First Published:
25 Apr 2016

Date Last Updated:
25 Apr 2016

Document Revision:
41

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.