Connect with us

Hi, what are you looking for?

Cyber Security

Yellowfin tackles auth bypass bug trio that opened door to RCE

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI.

After uncovering the pre-authentication vulnerabilities, security researchers from Assetnote then found a post-authentication path to command execution.

The flaws, which were discovered by Assetnote’s Max Garrett, have been assigned CVE numbers but not, as yet, CVSS scores.

Bypasses

The issues were discovered via instances of authentication logic as indicated by session.setAttribute(“SessionData”,BEAN).

One authentication bypass (CVE-2022-47884) arose because com/hof/mi/web/action/StoryBodyAction.java contained “logic where StoryBoardAction allowed us to sign in as any user, as long as a signature check was passed”, according to a blog post published by Garrett and Assetnote CTO and co-founder Shubham Shah yesterday (January 24). The hardcoded private RSA key meant anyone could pass the signature check.

second bypass, found in the JsAPI servlet, meant attackers could authenticate through the EXTAPI-IPID cookie, which was AES-encrypted using the hardcoded key’s user id (CVE-2022-47885).

“So it is possible for anyone who knows the victim’s user id to create a valid session as their account,” explained the blog post.

The third and final bypass (CVE-2022-47882) centered on Yellowfin’s suboptimal implementation of JWTs inside the REST API.

A valid refresh token id and extracted hardcoded key enabled the creation of a valid JWT as any user, although the impact was limited to privilege escalation given the need for a valid refresh token ID generated from a successful /api/refresh-tokens login.

Having performed an authentication bypass, a fourth bug – CVE-2022-47883 – then enabled attackers to perform remote code execution (RCE).

Noting Yellowfin BI’s connection to arbitrary data sources to pull data into the application, the researchers investigated whether JNDI or JDBC injections might enable command execution – and the JNDI mechanism, by using the forceString gadget, duly proved fruitful.

Assetnote has published the full proof-of-concept exploit chain on GitHub.

The vulnerabilities have been patched in Yellowfin BI 9.8.1.

Monolith application advice

“In our assessment of enterprise applications, we often find hardcoded keys that lead to significant security impact (for example, our bug in VMWare AirWatch),” Shah told The Daily Swig. “Many enterprise products can be difficult to obtain due to qualification and sales processes. However once the source code has been obtained, there are often many critical vulnerabilities that can be exploited readily and easily.”

Yellowfin is a Java monolith application, and Shah and Garrett offered methodological advice to other security researchers hunting in similar codebases: “Map out the pre-authentication attack surface in as much detail as possible,” they said.

Advertisement. Scroll to continue reading.

“Understand all of the routes, both static and dynamic, and then determine which portion of these routes are actually accessible without any authentication.”

After mapping pre-authentication routes, “determine how user input is processed by these routes and understand which routes take in what user input”, they continued. This will uncover issues warranting further investigation “simply based off the names of the controllers or parameters”.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/yellowfin-tackles-auth-bypass-bug-trio-that-opened-door-to-rce

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO