App-6552-20180903 Deloitte Epa The Learning Link 123607-040-0500 Report Final

Mercedes-Benz USA, LLC | Statement of Responsibility
Mercedes-Benz USA, LLC

EPA Report for The Learning Link
September 3, 2018
Mercedes-Benz USA, LLC | Management Summary
Statement of Responsibility
The Report is being prepared solely for Mercedes-Benz USA, LLC (hereafter also referred to as “Mercedes-Benz
USA” or the “company”). The use may not meet the requirements or objectives of any other party.
Our work is carried out under a Statement of Work from June 29, 2018 between Deloitte GmbH
Wirtschaftsprüfungsgesellschaft (hereafter also referred to as “Deloitte”) and Mercedes-Benz USA, LLC. The scope
and objectives of this review are summarised in the Management Summary. The matters raised in this report are
only those which came to our attention during our review and are not necessarily a comprehensive statement of
all weaknesses that exist or all actions that might be taken.
No other party is entitled to rely upon the report for any purpose whatsoever and if they do choose to rely upon
the report, it will be at their own risk and without recourse to Deloitte. Should others choose to place reliance
upon any matters which we have reported, they are responsible for carrying out their own independent
investigations. Accordingly, to the fullest extent permitted by law, readers agree that Deloitte will have no duty or
liability to them in any way in connection with or arising from the report.
This work was performed under limitations of time and scope that are not potentially relevant to the actions of a
malicious attack. Our work is based at a specific point in time, in an environment where both the systems and the
threat profiles are dynamically evolving. It is therefore possible that vulnerabilities exist or will arise that were not
identified during our review and there may or will have been events, developments and changes in circumstances
subsequent to its issue which are likely to render the report’s contents wholly or partly misleading or inaccurate.
Private and confidential

This document is provided solely for Mercedes-Benz USA, LLC informational purposes and internal use, and is not
intended to be and should not be used by any person or entity other than Mercedes-Benz USA, LLC without the
written permission of Deloitte.
This document does not in any way contain an expression of an opinion or any other form of assurance on
Mercedes-Benz USA, LLC financial statements or any part thereof, nor an opinion or any other form of assurance
on Mercedes-Benz USA, LLC internal control systems or its compliance with laws, regulations, or other matters.
This report is confidential. It includes technical details of security weaknesses that if available to untrusted parties
could facilitate the execution of a breach against Mercedes-Benz USA, LLC. For that reason, access to this report
should be restricted, and the report should not be published.
Mercedes-Benz USA, LLC | Table of contents
Table of contents
Management Summary 1
Observations 3
Detailed Observations 5
Appendix A – Detailed Scope 20
Appendix B - Methodology 21
Appendix C – Testing Conditions and Limitation 22
Appendix D – Severity 23
Appendix E – List of Tools 26
Management Summary
Mercedes-Benz USA, LLC (hereafter also referred to as “Mercedes-Benz USA” or the “company”) engaged
Deloitte GmbH Wirtschaftsprüfungsgesellschaft (hereafter also referred to as “Deloitte”) to perform a
vulnerability assessment of the The Learning Link (Planning IT-ID APP-6552) application and its underlying host
in a QA environment. Our testing approach combines the use of automated scanning tools and manual
techniques. This assists with the identification of physical and logical security vulnerabilities, patching
deficiencies and misconfigurations, in order to make mitigation recommendations.
The results in this report are based on the analysis we performed remotely via the Internet from August 21 to
August 23, 2018. This report provides an indication of the security posture of the in-scope systems as of the
last day of the testing period.
Assessment Scope
The scope of the assessment is defined below; please see appendix for a more detailed scope:
Target Description
https://lnp- The Learning Link provides a business platform for employees to learn/study and
qa.corpinter.net/sites/LearnMB apply to internal training.
Table 1: Scope of the assessment
During this assessment, 1 high and 5 medium risk vulnerabilities were identified. These vulnerabilities could
lead to compromise of the confidentiality, integrity and availability of the data held within the The Learning Link
application.
The illustrated figure on the left indicates the security posture of

1
The Learning Link. Based on the highest identified risk rating, the
exposure level at the time of testing of The Learning Link is
Overall Security Posture
considered High.
High For further details and a more technical description of all identified
observations and our recommendations, please refer to the
Detailed Observations section and the appendix of this report,
6 which also details Deloitte’s methodology.
High Medium
Figure 1: Overall Security State
Key observations and recommendations

A summary of the key observations identified and actions to mitigate or to reduce the risks can be seen below:
 Insecure Direct Object References: The web application had insecure object references. This means that
users could bypass authorization and access resources in the system directly by specific input.
Recommendation: Implement a proper authentication and authorization methods to restrict access to
sensitive system resources.
 Clickjacking: We found that the application was not protected from Clickjacking attacks. During a
Clickjacking attack the original content is loaded into a hidden iframe that makes it invisible for the users.
When the user is clicking on the visible layer actually he is performing actions on the application.
Recommendation: Use the Content Security Policy (CSP) HTTP header with frame-ancestors directive to
prevent “Clickjacking” attacks. We also recommend to set the “X-Frame-Options” HTTP header with
SAMEORIGIN or DENY value as an additional layer of security.
01 The Learning Link - ID: APP-6552 - CONFIDENTIAL

 Information Disclosure: We found that the server disclosed the deployment system version information in
the HTTP responses.
Recommendation: Disable version information in the server responses.
 Weak Password Complexity: We found that the password complexity used by the application did not meet
the security good practices. The password did not require capital letters and handled numbers as special
characters.
Recommendation: Implement a password policy that ensures appropriate minimum complexity. For more
detailed recommendations refer to the respective issue or NIST Special Publication 800-63B Digital Identity
Guidelines.
 Security Misconfigurations: We found that the application did not set the security related HTTP headers.
Recommendation: Set the HTTP headers stated in the Security Misconfigurations part of this document.
 Information Disclosure in Error Messages: We found that the application sent back error messages to
the client, which sometimes contained valuable information for an attacker.
Recommendation: Use standard error messages without exposing any details about the application and the
deployment system.
 Cacheable HTTPS Response: We found that browsers were not prohibited from caching sensitive
information returned by the web server.
Recommendation: Set the application to return caching directives instructing browsers not to store local
copies of any sensitive data.
Although the vulnerabilities identified above pose a greater risk to The Learning Link, there are other
vulnerabilities detailed in this report that Mercedes-Benz USA should consider remediating before performing a
re-test to validate whether applied fixes are effective. We estimate the effort for the re-test of the vulnerabilities
identified in this report at approximately 2 days.
It should be noted that testing was performed against a QA environment. Based the information provided, the
UAT environment was identical to the production environment at the time of testing. Our report assumes that
all observations also apply to the production environment of The Learning Link. However, the observations
identified were not verified in production. Our experience tells us that there may be slight configuration
deviations between QA and production environments. Therefore, additional or slight variations of these security
observations might exist in the production environment. We recommend Mercedes-Benz USA perform a full
setup and configuration comparison between the tested QA and the production environment to verify their
setup. Further testing conditions and limitations of the testing can be found in the appendix of this report.

Mercedes-Benz USA, LLC | Observations
Observations
The following table gives an overview of our observations from the security assessment. For detailed
descriptions of each observation, please refer to the Detailed Observations section of this document.
ID Name Area Vulnerability Type Severity Target CISM Ticket

Identified ID
PT-1 Insecure Direct Object Application Security ● High https://lnp- 0044629458
References Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-2 Clickjacking Application Security ● Medium https://lnp- n/a
Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-3 Information Disclosure Application Security ● Medium https://lnp- n/a
Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-4 Weak Password Application Security ● Medium https://lnp- n/a
Complexity Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-5 Security Application Security ● Medium https://lnp- n/a
Misconfiguration Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-6 Information Disclosure Application Security ● Medium https://lnp- n/a
in Error Messages Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
PT-7 Cacheable HTTPS Application Security ● Medium https://lnp- n/a
Response Security Test Misconfiguration qa.corpinter.net/sit
es/LearnMB
Table 2: Observations of the assessment

Mercedes-Benz USA, LLC | Observations
For further details and a more technical description of our observations and our recommendations, please refer
to the Detailed Observations section of this document.
Hamburg, September 3, 2018
Deloitte GmbH
Wirtschaftsprüfungsgesellschaft
Peter J. Wirnsperger ppa. Thilo Bebber

(Partner) (Senior Manager)

Mercedes-Benz USA, LLC | Detailed Observations
Detailed Observations
The following pages contain the detailed observations

PT-1: Insecure Direct Object References

Target(s) Vulnerability Security Misconfiguration Base Score 7.5
Type
https://lnp- Severity ● High
qa.corpinter.net/sites/LearnMB
Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
The web application had insecure object references. This means that we were able to bypass authorization and
access resources in the system directly by specific input. In this example we accessed a PDF and PPTX file via
an unauthorized request. The following request-response pairs demonstrates the issue.
Request:
GET /file_source/LearnMB/DigitalAssets/2015/Coaching_for_HighPerformance_Factsheet.pdf
HTTP/1.1
Host: lnp-qa.corpinter.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Range: bytes=0-65535
Cookie: BIGipServerCMS.pool.autohaus-qa=2122653237.20736.0000
Response:
HTTP/1.1 206 Partial Content

Date: Wed, 22 Aug 2018 14:40:23 GMT
Last-Modified: Thu, 08 Dec 2016 23:12:00 GMT
ETag: "4e11179-234f4-5432dc3bbb000"
Accept-Ranges: bytes
Content-Length: 65536
srvrname: qbgn12
Content-Range: bytes 0-65535/144628
Connection: close
Content-Type: application/pdf
%PDF-1.5
%âãÏÓ
---Truncated---
We found the following documents by exploiting this issue. However, we emphasize, these are just examples,
and the problem should be handled generally.
 https://lnp-
qa.corpinter.net/file_source/LearnMB/DigitalAssets/2015/Coaching_for_HighPerformance_Factsheet.pdf
 https://lnp-
qa.corpinter.net/file_source/LearnMB/DigitalAssets/2015/Communicating_Effectively_Worksheet.pptx

The following screenshot shows the PDF which was accessed without authentication.
Figure 2: Unauthorized access to a PDF file in browser via insecure direct object reference
Impact
Successful exploitation could allow an attacker to access restricted system resources. In this case attackers can
access study materials that were meant for Daimler professionals only.
Likelihood
An unauthenticated attacker can access restricted system resources from the Internet via insecure direct object
references. It does not require moderate skills to exploit this vulnerability. For example this could be done by
using an URL fuzzer. An attacker hovewer needs to have knowledge about file naming conventions used by
Daimler.
Recommendation
We recommend Daimler to implement proper authentication and authorization methods to restrict access to
sensitive system resources.
Reference
n/a

PT-2: Clickjacking
Type
https://lnp- Severity ● Medium
Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Description
We found that the application was not protected from Clickjacking attacks. This attack also known as “UI
redressing attack”. During a Clickjacking attack the original content is loaded into a hidden iframe that makes it
invisible for the users. When the user is clicking on the visible layer actually he is performing actions on the
application. As a proof of concept, we were able to embed the application webpage into another website, by
loading in an iframe on a foreign website. As the following screenshot shows that the login page was embedded
to a foreign site and it remained fully functional:
Figure 3: Clickjacking proof
Impact
An attacker might be able to access sensitive information (e.g. account credentials) and perform actions in the
application by convincing a logged in user.
Likelihood
An attacker requires network level access to the web application. Limited technical skills required to perform a
successful attack.
Recommendation
We recommend using the Content Security Policy (CSP) HTTP header with frame-ancestors directive to prevent
“Clickjacking” attacks. However, we note that older versions of the Internet Explorer than IE 15 does not

supports CSP header correctly. Therefore, we also recommend to set the “X-Frame-Options” HTTP header with
SAMEORIGIN or DENY value as an additional layer of security.
Additionally, this attack could be mitigated by implementing client-side (e.g. JavaScript) based countermeasure
in place.
Reference
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

PT-3: Information Disclosure

Type
Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
We found that the server disclosed the deployment system version information in the HTTP responses, as the
following HTTP response demonstrate:
Request:
POST /sumtotal/app/management/LMS_PwdChange.aspx?internal=1 HTTP/1.1

Referer: https://lnp-qa.corpinter.net/sumtotal/app/management/LMS_PwdChange.aspx?internal=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Cookie
…
Connection: close
oldPwd=W********8&newPwd=d********5&verifyPwd=d*******5&LoginAs=3&UserMode=0&Mode=0&Stage=2&r
u=&isFromProfPage=0&g_iInternal=1
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 09:19:49 GMT
Server: Microsoft-IIS/7.5
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Wed, 22 Aug 2018 09:18:49 GMT
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Set-Cookie:
SUMTOTALAUTH=%24SumT75CNG%2bXcx%2fR3yuTCOnMcyQum34kbi03954%2f3q0cu1uLywscahg1bLnHmSJBlGwVdHiB
4Ff3kTVQ2vUioVWj03H3rfY6uOPBVKJ1JPzbQrMgEPBYuAI4qWbztZuE39vlVtjIJrC7SrxIXEPiOUR7IfPN6HRhfkeKm
hOD%2flxbnAJJnGHZDs%3d; path=/sumtotal
…
Impact
An attacker may gather information about the application and/or its environment that can be used for further
attacks (e.g. version numbers).
Likelihood
Any remote attacker may perform the attack. Limited technical skills are required.
Recommendation
We recommend disabling version information in the server responses.

Reference
n/a

PT-4: Weak Password Complexity

Target(s) Vulnerability Insufficient Patch Management Base Score 5.3
Type
Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
We found that the password complexity used by the application did not meet the security good practices. The
password did not require capital letters and handled numbers as special characters. The following request-
response pairs demonstrates the issue.
Request:
POST /sumtotal/app/management/LMS_PwdChange.aspx?internal=1 HTTP/1.1

Referer: https://lnp-qa.corpinter.net/sumtotal/app/management/LMS_PwdChange.aspx?internal=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Cookie
…
Connection: close
oldPwd=W********8&newPwd=dtest12345&verifyPwd=dtest12345&LoginAs=3&UserMode=0&Mode=0&Stage=2&
ru=&isFromProfPage=0&g_iInternal=1
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 09:19:49 GMT
Server: Microsoft-IIS/7.5
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Wed, 22 Aug 2018 09:18:49 GMT
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Set-Cookie:
SUMTOTALAUTH=%24SumT75CNG%2bXcx%2fR3yuTCOnMcyQum34kbi03954%2f3q0cu1uLywscahg1bLnHmSJBlGwVdHiB
4Ff3kTVQ2vUioVWj03H3rfY6uOPBVKJ1JPzbQrMgEPBYuAI4qWbztZuE39vlVtjIJrC7SrxIXEPiOUR7IfPN6HRhfkeKm
hOD%2flxbnAJJnGHZDs%3d; path=/sumtotal
…

Figure 4: Weak password complexity
Impact
An attacker might be able to guess or brute-force user accounts with weak passwords and gain unauthorized
access to sensitive data or launch further attacks. The risk was increased by the fact that no brute-force
protection was implemented.
Likelihood
An attacker may succeed with a dictionary based or brute-force attack against user passwords.
Recommendation
The recommended password complexity depends on the password storage mechanism that can be
selected/implemented in the application. Make sure that a strong hashing algorithm (such as: Blowfish,
SHA256, SHA512, Oracle S type, etc.) with password salt, or a password stretching algorithm (such as:
PBKDF2, scrypt, bcrypt) is used for password storage. If such strong password storage mechanisms are not
available in the system, consider using an external authenticator service that can provide strong password
storage.
We recommend implementing a password policy that ensures the following:
 Length: The minimum length of passwords shall be 8 characters or more. If the password
storage mechanism has known weaknesses and cannot be changed, the minimum length of
passwords shall be 12 characters or more.

Complexity: Passwords shall contain characters from at least three of the four primary
categories: uppercase letters, lowercase letters, numbers, and characters. If a password
stretching algorithm is used for password storage, then this requirement is not applicable.
 Dictionary and composition rules: Passwords shall not be based on values known to be
commonly-used, expected, or compromised, such as:
o Context specific words, such as the name of the company, project, or service, the
username or parts of the user’s real name, and derivatives thereof
o Passwords obtained from previous breach corpuses
o Dictionary words
o Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
o The best practice is using random generated passwords of at least 14 characters in
length.
Reference
NIST Special Publication 800-63B Digital Identity Guidelines
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf - Section 5.1.1

PT-5: Security Misconfiguration

Type
qa.corpinter.net/sites/LearnMB Base Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
The application did not set the “Content-Security-Policy” HTTP header. When this header is properly set, the
application is able to control and extend the browser security settings. Failure to properly configure this setting
leaves the application vulnerable to various attacks. For example, the page can be embedded into other sites,
by loading in an iframe on a foreign website. Furthermore, the application will not be able to detect policy
violations and enforce proper security policy. As a result, the application is vulnerable against “Clickjacking”
attacks (please see PT-2 part of this document). Moreover, the application did not set the “X-Frame-Options”
HTTP header. This header is able to control whether the page can be embedded in to other sites (e.g. It is
loaded to a foreign iframe). Because some browsers have not been fully support Content-Security-Policy yet,
without this header the application is vulnerable against the “Clickjacking” attack (please see PT-2 part of this
document).
The application did not set the “Strict-Transport-Security” header either. When this header is set the browser is
informed that the site and the application can be accessed only via encrypted HTTPS protocol. If the user tries
to visit the page via HTTP protocol (because of a Man-in-the-Middle attack for example), the browser
automatically falls back to HTTPS protocol. At the same time when “Strict-Transport-Security” header is set, the
browser does not allow the user to accept invalid SSL certificates.
The application did not set the “X-Content-Type-Options” header. This is an IE- and Chrome-specific header
which can protect against the so called MIME content-sniffing attacks. Content sniffing is a method used by the
browsers to determine the “real” content type of a response by looking at the content itself, instead of content-
type value of the response header. When “X-Content-Type-Options: nosniff“ is set, the browser uses the
“Content-Type” header only to determine the MIME type.
Impact
Without the “Content-Security-Policy” header an attacker might be able to access sensitive information or
perform actions in the application by using “Clickjacking” or Cross-Site Scripting (XSS) attacks and these
attacks might remain undetected. During a “Clickjacking” attack the original page is embedded into a malicious
page controlled by the attacker. The original content is loaded into a hidden iframe that makes it invisible for
the users. When the user is clicking on the visible layer actually he is performing actions on the application.
Furthermore, without the “X-Frame-Options” header, the application is not fully protected from “Clickjacking”
attacks.
If the HTTPS communication is not enforced by the “Strict-Transport-Security” header, an attacker might be
able to change the HTTPS links in the network traffic to cleartext HTTP links during a MITM attack and make the
user to use cleartext communication channel. At the same time an attacker may carry out SSL MITM against the
users, but the “Strict-Transport-Security” header makes it impossible for the users to accept the attacker’s
invalid certificates.
Without the “X-Content-Type-Options” header, if the response contains an unknown MIME type for the browser,
then some browsers try to interpret its content. If an attacker is able to inject his malicious code (e.g. HTML,
JavaScript) into the response, when the browser “sniffs” the content, it will identify it as “text/html” and run the
malicious payload. The risk is lowered by the fact that these kind of attacks works with only limited number of
browsers (e.g. Internet Explorer).

Likelihood
The missing “Content-Security-Policy” and “X-Frame-Options” HTTP headers can be exploited by anyone on the
internet by embedding the page into a malicious site or by performing Cross-Site-Scripting (XSS) attacks. Little
technical skills are required to perform a “Clickjacking” and XSS attacks.
The missing “Strict-Transport-Security” header may be exploited by an attacker performing a MITM attack. This
requires advanced technical skills and access to the network between the client and the server.
The missing “X-Content-Type-Options” header could be exploited by an attacker who is able to inject malicious
code into the network traffic. This attack requires advanced technical skills.
Recommendation
We recommend setting the “Strict-Transport-Security” header in order to mitigate the risk of Man-in-the-Middle
(MitM) attacks. We also recommend using the Content Security Policy (CSP) Level 2
(http://www.w3.org/TR/CSP2/) HTTP header by considering the following security decisions:
 Using with frame-ancestors directive to prevent “Clickjacking” attacks. However, we note that
older versions of the Internet Explorer than IE 15 does not supports CSP header correctly.
Therefore, we also recommend to set the “X-Frame-Options” HTTP header with “SAMEORIGIN”
or “DENY” value as an additional layer of security.
 Using the default-src directive set to none and allow those sites, which are necessary for the
application functionality (white-list based approach).
 Use the script-src directive to mitigate the Cross-Site Scripting (XSS) attacks.
We also recommend setting the “X-Content-Type-Options” to “nosniff” at the web server side. We note that
Flash ignores the “Content-Type” header. Moreover, we note that limited number of browsers support this
header.
References
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet

PT-6: Information Disclosure in Error Messages

Type
Base Vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
We found that the application sent back error messages to the client, which sometimes contains valuable
information for an attacker. For example such a response contained information about the used CMS
framework, Vignette (now OpenText Web Experience Management):
Request:
GET /sites/LearnMB/TEST HTTP/1.1

Cookie:
…
Connection: close
If-None-Match: "2fdb9222-79e5-445a-8df0-6071226a1cca"
Response:
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2018 12:14:30 GMT
X-Powered-By: Servlet/3.0
Last-Modified: Wed, 22 Aug 2018 12:14:30 GMT
ETag: "a76a5bdb-3540-4c1d-9a22-550bcbf14d9a"
Vary: *
Content-Length: 644
srvrname: bgn12_88, qbgn12
Content-Type: text/html
Content-Language: en-US
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
---Truncated---
</html>
]]>
Impact
An attacker may gather information about the application and/or its environment that can be used for further
attacks (e.g. version numbers).
Verbose error messages may contain information which can provide an insight into the application internal
architecture, the applied software components, the developer’s variable nomenclature scheme etc. As a result,
they could help an attacker in formulating further attacks.

Likelihood
Any remote attacker may perform the attack. Limited technical skills are required.
An authenticated/unauthenticated attacker may generate error messages, which may contain sensitive
information (e.g. server version, debug data, logged in users, password hashes).
Recommendation
We recommend using standard error messages without exposing any details about the application and the
deployment system.
The application should use custom error pages for HTTP error codes (e.g. HTTP 404, HTTP 403, and HTTP 500)
and should display standardized error messages in case of application errors as well. Detailed error messages
should be logged at server side.
Reference
n/a

PT-7: Cacheable HTTPS Response

Type
Base Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
We found that browsers were not prohibited from caching sensitive information returned by the web server.
The following screenshot shows the sensitive data cached by the browser:
Figure 5: Cacheable HTTPS response as seen in browser cache
Impact
Storing sensitive data in the local cache could lead to other users with physical access to the same computer
retrieving this sensitive information.
Likelihood
An attacker needs physical access to the client’s computer to gain access to sensitive cached data. Moderate
technical skills are required to perform an attack.
Recommendation
We recommend setting the application to return caching directives instructing browsers not to store local copies
of any sensitive data, by setting the following HTTP response headers:
Cache-Control: no-store, no-cache

Pragma: no-cache
The above mentioned HTTP response headers should be set for all user-related data and confidential content.
Reference
n/a

Mercedes-Benz USA, LLC | Appendix A – Detailed Scope
Appendix A – Detailed Scope

The detailed scope of this security assessment was the following:
Target Assessment Approach Environment Name and Version

Testing Type
141.113.146.26 Web Grey-Box Testing (QA) The Learning Link (ID: APP-6552)
https://lnp-
Table 3: Detailed Scope of the assessment
The following test users and assigned roles were provided:
User Role
MB1052783 Normal user
MB1074177 Content administrator
Table 4: Provided Test User Accounts

Mercedes-Benz USA, LLC | Appendix B - Methodology
Appendix B - Methodology
Deloitte has developed its own penetration testing methodology inspired by the OWASP, WASC and OSSTM
standards and has it customized in order to deliver a consistent and high-quality service. This methodology
follows the steps described below, and is regularly updated based on new attack techniques and vulnerabilities
that are discovered. More details on the specific security assessment activities performed during our
engagement can be found in our proposal.
Figure 6: Deloitte's Security Assessment Services Methodology
While conducting an application penetration test we have applied the Deloitte testing methodology, which is
aligned with the BSI and NIST recommendation for penetration as stated in the offer. For the project we have
performed all typical tests outlined in the OWASP Testing Guide (Version 4) including but not limited to:
 Configuration and Deployment Management Testing

 Identity Management Testing
 Authentication and Authorization Testing
 Testing of the Session Management
 Input Validation Testing
 Testing for Error Handling
 Testing for weak Cryptography
 Business Logic Testing and Client Side Testing

Mercedes-Benz USA, LLC | Appendix C – Testing Conditions and Limitation
Appendix C – Testing Conditions

and Limitation
Deloitte’s consultants work under limitations of time and scope that may not apply to the activities of a
malicious user or an attacker. They also work at a specific point in time, in an environment where both the
systems tested and the threat profiles are dynamically evolving. It is therefore possible that vulnerabilities
exist, or will arise, that were not identified during the test.
Deloitte’s observations are representative of the environment in scope at the time of the test. If the
environment is modified through changes in configuration, installed software packages, or application code,
then additional vulnerabilities may be introduced that the test did not identify.
The test was limited to a reasonable efforts basis and limited sample functionality on what could be achieved
within the requested test window; hence, there may be vulnerabilities that were not identified during the test.
Likewise, vulnerabilities that have been identified above may be present in other parts of the environment than
those noted.
During the test, we did not perform several tests for the following reasons:
 Denial of Service (“DoS”) exploitation, physical security and social engineering;

 Any other test not explicitly defined in the services or scope.
 Business partner systems or transmission security within any service provider’s network.

Mercedes-Benz USA, LLC | Appendix D – Severity
Appendix D – Severity
This legend describes the attributes of the findings discussed in this report.
The presented results are based on the output of the applied software tools, common vulnerability databases
and our professional experience. Severity scoring is based on associated impact of vulnerability exploitability
and the authorization scope. Common Vulnerability Scoring System (CVSS) is used to calculate the severity of
the vulnerabilities.
CVSS is a free and open industry standard for assessing the severity of the security vulnerabilities. It is
managed by the Forum of Incident Response and Security Teams (https://www.first.org). The current version of
CVSS is version 3.
For all listed findings, Mercedes-Benz USA should perform their own assessment to align their information
security management risk rating methodology. Furthermore, Mercedes-Benz USA should evaluate if and how
the proposed remediation activities should be implemented. An adequate risk rating can only be performed with
internal knowledge of business requirements and organizational processes of the company.
Since new vulnerabilities within operating systems and applications are published on a daily basis, and the
configuration of the systems is subject to frequent changes, the following results can only be based on publicly
available vulnerability information and the configuration of the systems on the date of the tests. This implies
that new vulnerabilities within software products used by Mercedes-Benz USA may have been published in the
meantime, or particular weaknesses may already have been corrected.
Please note that in some instances so called “False Positives” may be listed in the report. This is because we did
not have access to all necessary system or design information. Therefore, all results must be verified in order to
confirm the rating.
The figure below describes the severity metric groups:
Figure 7: CVSS v3.0 Metric Groups
Exploitability Metrics
The metric of the exploitability of a vulnerability is based on the Attack Vector (AV), Attack Complexity (AC),
Privileges Required (PR) and User Interaction. A finding’s exploitability is classified as follows:

Attack Vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. There are four metric values to
calculate the attack vector:
 Network (N): Non-restricted network layer access requires exploiting the vulnerability. Network is bound to
the network stack and the access path goes through network layer.
 Adjacent (A): Adjacent network access requires exploiting the vulnerability. Same local IP subnets, shared
platforms or other logical connected networks are considered as adjacent network.
 Local (L): Local access requires exploiting the vulnerability. The vulnerability is not bounded to the network
stack.
 Physical (P): Physical access requires exploiting the vulnerability.
Attack Complexity (AC)

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the
vulnerability. There are two metric values to calculate attack complexity:
 Low (L): Vulnerabilities that are repeatable and require no specific conditions are considered as low.
 High (H): Vulnerabilities that are not easy to exploit and requires some measurable amount of effort to
exploit are considered as high.
Privileges Required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the
vulnerability. There are three metric values to calculate privileges required:
 None (N): There is no need to privilege requires to access the target, user accounts or specific conditions to
exploit vulnerabilities.
 Low (L): There is need to some privilege to network the target, low-level user accounts or defined specific
conditions to exploit the vulnerabilities.
 High (H): There is need to privilege access to the target, administrative accounts or other specific conditions
that are required significant privilege.
User Interaction (UI)

This metric captures the requirement for a user, other than the attacker, to participate in the successful
compromise of the vulnerable component. There are two metric values to calculate user interaction:
 None (N): The vulnerable system can be exploited without interaction from any user.
 Required (R): Successful exploitation of this vulnerability requires a user to take some action before the
vulnerability can be exploited.
Authorization Scope (S)

When the vulnerability of a software component governed by one authorization scope is able to affect resources
governed by another authorization scope, a scope change has occurred. There are two metric values to
calculate authorization scope:
Unchanged: Authorization scope is unchanged where vulnerable component and impacted component are the
same.
Changed: Authorization scope is changed where vulnerable component and impacted component are not the
same. With exploitation of the vulnerability, an attacker would have some authorization privilege beside the
scope.
Impact Metrics
The metric of the impact of a vulnerability is based on the confidentiality (C), integrity (I) and accessibility (A).
A finding’s impact is classified as follows:

Confidentiality Impact (C)

This metric measures the impact to the confidentiality of the information resources managed by a software
component due to a successfully exploited vulnerability. There are three metric values to calculate the
confidentiality impact:
 High (H): There is total loss of confidentiality. The disclosed information is considered as serious loss and it
affects the scope directly.
 Low (L): There is some loss of confidentiality. Some restricted information is obtained, but the attacker does
not have control over the application. The disclosed information is not considered as serious loss.
 None (N): There is no loss of confidentiality within the impacted component.
Integrity Impact (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. There are three metric
values to calculate the integrity impact:
 High (H): There is a total loss of integrity or a complete loss of protection. The information is considered as
serious loss and it affects the scope directly.
 Low (L): There is possible the modification of data but the attacker does not have control over the
consequence of a modification. The data modification is not considered as serious impact.
 None (N): There is no loss of integrity within the impacted component.
Availability Impact (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully
exploited vulnerability. There are three metric values to calculate the availability impact:
 High (H): There is total loss of availability, resulting in the attacker being able to fully deny access to
resources in the impacted component.
 Low (L): There is reduced performance or interruptions in resource availability. Even if repeated exploitation
of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate
users.
 None (N): There is no impact to availability within the impacted component.

Mercedes-Benz USA, LLC | Appendix E – List of Tools
Appendix E – List of Tools

Tool Name Short Description Version Information
Burp Suite Professional Intercepting proxy for web vulnerability assessment Version 1.7
Nmap Port Scanner Network port scanner Version 7
Nikto Open Source web server vulnerability scanner Version 2.1.6
Table 5: List of tools used during the assessment

Mercedes-Benz USA, LLC | Appendix E – List of Tools
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a

UK private company limited by guarantee (“DTTL”), its network of
member firms, and their related entities. DTTL and each of its member
firms are legally separate and independent entities. DTTL (also referred
to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.com/de/UeberUns for a more detailed description of DTTL
and its member firms.
Deloitte provides audit, risk advisory, tax, financial advisory and

consulting services to public and private clients spanning multiple
industries; legal advisory services in Germany are provided by Deloitte
Legal. With a globally connected network of member firms in more than
150 countries, Deloitte brings world-class capabilities and high-quality
service to clients, delivering the insights they need to address their most
complex business challenges. Deloitte’s more than 244,000 professionals
are committed to making an impact that matters.
This presentation contains general information only not suitable for

addressing the particular circumstances of any individual case and is not
intended to be used as a basis for commercial decisions or decisions of
any other kind. None of Deloitte GmbH Wirtschaftsprüfungsgesellschaft
or Deloitte Touche Tohmatsu Limited, its member firms, or their related
entities (collectively, the “Deloitte network”) is, by means of this
communication, rendering professional advice or services. No entity in
the Deloitte network shall be responsible for any loss whatsoever
sustained by any person who relies on this communication.
© 2018 Deloitte GmbH

App-6552-20180903 Deloitte Epa The Learning Link 123607-040-0500 Report Final

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

App-6552-20180903 Deloitte Epa The Learning Link 123607-040-0500 Report Final

Hochgeladen von

Copyright:

Verfügbare Formate

Mercedes-Benz USA, LLC | Statement of Responsibility

Mercedes-Benz USA, LLC

Private and confidential

The illustrated figure on the left indicates the security posture of

Figure 1: Overall Security State

Key observations and recommendations

01 The Learning Link - ID: APP-6552 - CONFIDENTIAL

02 The Learning Link - ID: APP-6552 - CONFIDENTIAL

ID Name Area Vulnerability Type Severity Target CISM Ticket

03 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Hamburg, September 3, 2018

Peter J. Wirnsperger ppa. Thilo Bebber

04 The Learning Link - ID: APP-6552 - CONFIDENTIAL

05 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-1: Insecure Direct Object References

HTTP/1.1 206 Partial Content

06 The Learning Link - ID: APP-6552 - CONFIDENTIAL

07 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Figure 3: Clickjacking proof

08 The Learning Link - ID: APP-6552 - CONFIDENTIAL

09 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-3: Information Disclosure

POST /sumtotal/app/management/LMS_PwdChange.aspx?internal=1 HTTP/1.1

10 The Learning Link - ID: APP-6552 - CONFIDENTIAL

11 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-4: Weak Password Complexity

POST /sumtotal/app/management/LMS_PwdChange.aspx?internal=1 HTTP/1.1

12 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Figure 4: Weak password complexity

We recommend implementing a password policy that ensures the following:

13 The Learning Link - ID: APP-6552 - CONFIDENTIAL

14 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-5: Security Misconfiguration

15 The Learning Link - ID: APP-6552 - CONFIDENTIAL

16 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-6: Information Disclosure in Error Messages

GET /sites/LearnMB/TEST HTTP/1.1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

17 The Learning Link - ID: APP-6552 - CONFIDENTIAL

18 The Learning Link - ID: APP-6552 - CONFIDENTIAL

PT-7: Cacheable HTTPS Response

Figure 5: Cacheable HTTPS response as seen in browser cache

Cache-Control: no-store, no-cache

19 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Appendix A – Detailed Scope

Target Assessment Approach Environment Name and Version

The following test users and assigned roles were provided:

MB1074177 Content administrator

Table 4: Provided Test User Accounts

20 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Figure 6: Deloitte's Security Assessment Services Methodology

 Configuration and Deployment Management Testing

21 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Appendix C – Testing Conditions

 Denial of Service (“DoS”) exploitation, physical security and social engineering;

22 The Learning Link - ID: APP-6552 - CONFIDENTIAL

The figure below describes the severity metric groups:

Figure 7: CVSS v3.0 Metric Groups

23 The Learning Link - ID: APP-6552 - CONFIDENTIAL

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)