Security Advisory – April 26, 2007

The development team for the Process Dashboard treats security as our top priority. For years, we have built enterprise-level security mechanisms into the Process Dashboard code. Accordingly, we are always vigilant to ensure that security is addressed and maintained for our users.

On April 24, a vulnerability was discovered in version 1.7 of the Process Dashboard. Fixing the vulnerability and releasing a patched version of the dashboard became our sole priorities. Version 1.8 of the dashboard, released on April 26, fully addresses this vulnerability.

Fortunately, the default configuration of the Process Dashboard is already locked-down, so most users are not exposed to remote attacks against this vulnerability. However, all users are strongly encouraged to upgrade.

More information about the vulnerability is given below. Individuals with additional questions are encouraged to contact the Process Dashboard development team.

Description of the Vulnerability

Building upon the expressive power of the world-wide-web, the dashboard displays many process scripts, forms, and tools in your web browser. To facilitate this, the dashboard contains a tiny, embedded web server. (The existence and role of this web server is documented in the dashboard’s online help.) This embedded web server is designed only to serve web pages and files that are included along with the Process Dashboard, unless you configure the dashboard otherwise.

However, it was discovered that by using a malicious/malformed HTTP request, an attacker could connect to this web server and read other files present on your computer’s hard drive. The attacker would have to know the exact name and location of a file in advance, and construct the malicious request specifically for that file.

The Extent of the Vulnerability

“Process Dashboard” Users

When you perform the default installation of the Process Dashboard, the embedded web server will be configured to accept connections only from the local computer (i.e. “localhost”). As a result, the vast majority of Process Dashboard users will not be exposed to remote attacks by this vulnerability.

“Joining” a team project does not affect this configuration setting. Even if you participate as a member of a team project, your dashboard will still only be accepting local connections.

Thus, in the typical usage scenario, an attacker would not be able to connect to the dashboard’s embedded web server unless they were first able to run a program on your computer. If they were able to run a program on your computer, that program would very likely be able to read files off the hard drive directly, rather than going through the dashboard.

Exception #1: Users in a thin-client, citrix, or shared unix server environment might still be vulnerable. If several people are all logged in directly to a particular server, and the Process Dashboard is run on that shared server instead of the local client machine, another person logged into the server might be able to exploit this vulnerability to bypass file permissions and read files belonging to another user.

Exception #2: If you have ever created a team project and run the “Team Project Setup Wizard” to completion, your dashboard’s configuration may have been unlocked to support the team functionality. To verify, you can choose “C > Data Analysis” from the main dashboard toolbar. A page will be displayed in your web browser. If the URL of that page begins with “http://localhost:3000/“, your dashboard is most likely accepting connections from other computers. You can change this configuration back to the more secure mode by removing the “http.allowRemote” line from your configuration file. For more information, choose “C > Help > Search” and search for the text “allowRemote“.

“Team Dashboard” Users

When you install version 1.7 of the Process Dashboard, you can elect to install the “Tools for Team Leaders” option. Selecting this option creates a second shortcut on your computer, with the name “Team Dashboard”. That shortcut will launch a dashboard window that displays the text “Team Dashboard” in the title bar.

That “Team Dashboard” instance is configured to accept connections from other computers, to facilitate the “joining” process and to allow remote viewing of the team project plan. (Note that the installer will also create a “Process Dashboard” shortcut; that “Process Dashboard” shortcut will be locked down by default, as described in the section above.)

Occasional users of a “Team Dashboard” shortcut will not be vulnerable simply because the “Team Dashboard” shortcut is on their desktop. The embedded web server will only be accepting remote connections while the “Team Dashboard” window is running.

While the “Team Dashboard” instance does accept connections from other computers, it is not generally accepting connections from the entire Internet. An attacker would need to connect to port 3000 on your computer to exploit this vulnerability. Thus, if you are behind a corporate firewall, an attacker would most likely need to be on the corporate LAN / WAN.

In addition, many organizations today deploy personal firewalls on all computers. (Team Dashboard users may discover that personal firewalls are in effect if the “join team project” functionality does not work between two computers on the same LAN.) If a personal firewall is active on your computer, and is blocking inbound connections to port 3000, then you should not be exposed to a remote attack on this vulnerability.

Dashboard version 1.6 and earlier

Before version 1.7 of the Process Dashboard, the embedded web server was not locked down by default. Thus, users on earlier versions of the Process Dashboard could be vulnerable while the dashboard is running, as described in the previous section.

Disclaimer of Warranty

The guidance on this page is provided to help individuals make the most informed decision possible. However, it cannot anticipate all network/firewall/routing configurations. Thus, it is provided with NO WARRANTY. Even if the guidance on this page suggests that you are not vulnerable to a remote exploit, you are strongly encouraged to upgrade to the latest version of the Process Dashboard.