CVE-2021- 41528: Flexera / RISC Networks — Vulnerable Authorization Schema
Description
CVE-2021- 41528 describes functionality within the Flexera RISK Network portal that was vulnerable to unauthorized access. This was found to be systemic as the application widely relied on client-side checks rather than client and server-side checks. Unlike Authentication, which confirms an identity, Authorization confirms an authenticated identity is authorized to access what is being requested. Note, Flexera was notified, and has since applied an official fix for this vulnerability.
In one example sensitive information was stored in the browsers Local Storage (localStorage). localStorage allows applications to save key/value pairs in the browser. After authenticating to the application, the user’s access control list was stored in localStorage in JSON format. A user with only “read” privileges could modify the localStorage JSON values, and gain unauthorized access to functionality that previously returned “unauthorized” type errors. This can be seen in Attack Scenario 1 below.
Other client-side only access controls were identified in the API, JavaScript files, and in the HTML source (CVE-2021–41527). Although localStorage can easily be edited by an attacker, the access controls returned in requested responses required a proxy to modify the response body. This can be achieved using tools such as Portswigger’s Proxy> Match and Replace, and seen in Attack Scenario 2 below.
Severity
Authorization Attack Scenario 1
The first attack scenario will show modifying the access controls stored in localStorage to gain unauthorized access to the “Stack Tags” functions. Note, the following is a sample of what was identified.
The first figure shows attempting to access the “Stacked Tags” function using Forced Browsing, but a permissions error is returned as intended.
The next figure shows accessing the browsers localStorage, and recovering the ‘USER_PERMISSIONS’ key/value pair.
Next, the localStorage value is parsed, and all the “read” permissions are replaced with “read”,”write”. This can be seen in the following two figures:
The localStorage ‘USER_PERMISSIONS’ value is updated in the browser with the new “read”,”write” values, the page is refreshed, and unauthorized access to the “Stack Tags” achieved.
The final figure for this attack scenario is an unauthorized download of an error report from the same page:
Authorization Attack Scenario 2
Similar to Attack Scenario 1, some access controls returned by APIs were processed client-side.
The following two figures are an example of an API call, and the permissions returned to the client. Note, the assessment and session values have been removed.
Request:
GET /api/user-access/groups?assessment=[base64] HTTP/1.1
Host: portal.riscnetworks.com
Cookie: PHPSESSID=x; AWSELB=x; AWSELBCORS=x; fingerprint=x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Referer: https://portal.riscnetworks.com/app/user-access/
Connection: close
Response:HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 21:25:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 365
Connection: close
{“success”:true,”result”:{“status”:”success”,”meta”:null,”result”:[{“id”:2,”title”:”read only”,”permission”:{“appliance”:[“read”],”cloudcost”:[“read”],”stack”:[“read”],”query”:[“read”],”rule”:[“read”],”scorecard”:[“read”],”assessment”:[“read”],”license”:[“read”],”migration”:[“read”],”location”:[“read”],”tag”:[“read”],”export”:[“read”],”user”:[“write”,”read”]}}]}}
Rather than changing the values in localStorage, Burp Proxy is used to force “write”,”read” responses, and the application provides additional unauthorized access to application functionality. The full depth and attack scenario was not documented here as previous unauthorized access was already achieved. To see Burp Proxy match/replace in action with more detail, see CVE-2021- 41527: Flexera — Multi Factor Authentication (MFA) Bypass.
References
Common Vulnerability Scoring System Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C/CR:M/IR:X/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:L/MA:N&version=3.1
PortSwigger — Burp: https://portswigger.net/burp/documentation/desktop/tools/proxy
Flexera’s RISC Platform Advisory: https://community.flexera.com/t5/Foundation-CloudScape-Release/RISC-Platform-Security-Related-Fixes/ba-p/224887