Bluecats Bc Reveal 5.13 Remote Code Execution Vulnerability

Summary

The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.

Credit:

The information has been provided by Tod Beardsley
The original article can be found at: https://itunes.apple.com/us/app/bc-reveal/id852676494


Details

Bluecats Bc Reveal is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Vulnerable Systems:

  • Bluecats Bc Reveal 1.0
  • Bluecats Bc Reveal 2.0
  • Bluecats Bc Reveal 3.0
  • Bluecats Bc Reveal 3.4
  • Bluecats Bc Reveal 3.6
  • Bluecats Bc Reveal 4.0
  • Bluecats Bc Reveal 4.1
  • Bluecats Bc Reveal 4.6.4
  • Bluecats Bc Reveal 4.6.5
  • Bluecats Bc Reveal 5.0
  • Bluecats Bc Reveal 5.1
  • Bluecats Bc Reveal 5.2
  • Bluecats Bc Reveal 5.3
  • Bluecats Bc Reveal 5.4
  • Bluecats Bc Reveal 5.5
  • Bluecats Bc Reveal 5.8
  • Bluecats Bc Reveal 5.9
  • Bluecats Bc Reveal 5.10
  • Bluecats Bc Reveal 5.11
  • Bluecats Bc Reveal 5.12
  • Bluecats Bc Reveal 5.13

CVE Information:
CVE-2019-5627

Disclosure Timeline:
Publish Date:05/22/2019

Categories: News