-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Security Vulnerability for ActiveX Control packaged with IBM
Cognos Disclosure Management Client (CVE-2013-0501)
9 April 2013
AusCERT Security Bulletin Summary
Product: IBM Cognos Disclosure Management
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
CVE Names: CVE-2013-0501
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Vulnerability for ActiveX Control packaged with IBM Cognos Disclosure
Management Client (CVE-2013-0501)
Cognos Disclosure Management
A third party ActiveX control (EdrawSoft) may have been registered in the
Windows registry by the CDM client installation process. This ActiveX control
contains a security vulnerability that could allow unauthorized file access to
the user's machine from malicious web sites.
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings
for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82345 for the
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
The EdrawSoft ActiveX control is marked as "safe for scripting", meaning that
once installed on a client machine, it can be controlled from web pages. Users
that visit malicious web sites on the Internet can have their local files
uploaded to these websites or binary files forcefully downloaded onto their
machines. Newly downloaded binary files can also be executed from the malicious
IBM Cognos Disclosure Management 10.2.0
The registration of the ActixeX control should be removed from the Windows
registry to prevent any security vulnerabilities. This will not affect how the
ActiveX control works within the CDM product; it will just remove access from
outside the application.
The following registry keys should be removed if they exist:
It is recommended that the registry keys are backed up prior to making any changes.
Please refer to the instructions below for backing up and deleting a registry key:
Log in to the machine as a local administrator.
Open the registry editor (regedit at command line).
Locate and click on the key that is to be removed.
Click on the File menu and select 'Export'.
In the Save In box, please select the location to save the file to and an appropriate file name. Click save.
Delete the key by right clicking on the key and selecting 'Delete'.
To restore a key, double click on the saved .reg file.
This issue has been corrected in an update from EdrawSoft and will be included
in future releases of CDM.
For more assistance, please contact IBM Support.
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82345
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
5 April 2013: Original Copy Published
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----