CVE-2021- 41528: Flexera / RISC Networks — Vulnerable Authorization Schema

Description

CVE-2021- 41528 describes functionality within the Flexera RISK Network portal that was vulnerable to unauthorized access. This was found to be systemic as the application widely relied on client-side checks rather than client and server-side checks. Unlike Authentication, which confirms an identity, Authorization confirms an authenticated identity is authorized to access what is being requested. Note, Flexera was notified, and has since applied an official fix for this vulnerability.

In one example sensitive information was stored in the browsers Local Storage (localStorage). localStorage allows applications to save key/value pairs in the browser. After authenticating to the application, the user’s access control list was stored in localStorage in JSON format. A user with only “read” privileges could modify the localStorage JSON values, and gain unauthorized access to functionality that previously returned “unauthorized” type errors. This can be seen in Attack Scenario 1 below.

Other client-side only access controls were identified in the API, JavaScript files, and in the HTML source (CVE-2021–41527). Although localStorage can easily be edited by an attacker, the access controls returned in requested responses required a proxy to modify the response body. This can be achieved using tools such as Portswigger’s Proxy> Match and Replace, and seen in Attack Scenario 2 below.

Severity

CVSS v3.1 Vector (High): AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C

Authorization Attack Scenario 1

The first attack scenario will show modifying the access controls stored in localStorage to gain unauthorized access to the “Stack Tags” functions. Note, the following is a sample of what was identified.

The first figure shows attempting to access the “Stacked Tags” function using Forced Browsing, but a permissions error is returned as intended.

Unauthorized Permission Message — Intended Result

The next figure shows accessing the browsers localStorage, and recovering the ‘USER_PERMISSIONS’ key/value pair.

User Permissions in Client-Side Local Storage

Next, the localStorage value is parsed, and all the “read” permissions are replaced with “read”,”write”. This can be seen in the following two figures:

Read Only Permissions
Updated to Read, Write

The localStorage ‘USER_PERMISSIONS’ value is updated in the browser with the new “read”,”write” values, the page is refreshed, and unauthorized access to the “Stack Tags” achieved.

Unauthorized Access

The final figure for this attack scenario is an unauthorized download of an error report from the same page:

Unauthorized Download

Authorization Attack Scenario 2

Similar to Attack Scenario 1, some access controls returned by APIs were processed client-side.

The following two figures are an example of an API call, and the permissions returned to the client. Note, the assessment and session values have been removed.

Request:

GET /api/user-access/groups?assessment=[base64] HTTP/1.1
Host: portal.riscnetworks.com
Cookie: PHPSESSID=x; AWSELB=x; AWSELBCORS=x; fingerprint=x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Referer: https://portal.riscnetworks.com/app/user-access/
Connection: close

Response:
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 21:25:52 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: application/json
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 365
Connection: close
{“success”:true,”result”:{“status”:”success”,”meta”:null,”result”:[{“id”:2,”title”:”read only”,”permission”:{“appliance”:[“read”],”cloudcost”:[“read”],”stack”:[“read”],”query”:[“read”],”rule”:[“read”],”scorecard”:[“read”],”assessment”:[“read”],”license”:[“read”],”migration”:[“read”],”location”:[“read”],”tag”:[“read”],”export”:[“read”],”user”:[“write”,”read”]}}]}}

Rather than changing the values in localStorage, Burp Proxy is used to force “write”,”read” responses, and the application provides additional unauthorized access to application functionality. The full depth and attack scenario was not documented here as previous unauthorized access was already achieved. To see Burp Proxy match/replace in action with more detail, see CVE-2021- 41527: Flexera — Multi Factor Authentication (MFA) Bypass.

Burp> Proxy> Options > Match and Replace

References

Common Vulnerability Scoring System Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C/CR:M/IR:X/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:L/MA:N&version=3.1

PortSwigger — Burp: https://portswigger.net/burp/documentation/desktop/tools/proxy

Flexera’s RISC Platform Advisory: https://community.flexera.com/t5/Foundation-CloudScape-Release/RISC-Platform-Security-Related-Fixes/ba-p/224887

NIST-NVD:
https://nvd.nist.gov/vuln/detail/CVE-2021-41528

--

--

--

Robert Gilbert is an Information Security professional that specializes in Offensive Security, and has over 20 years experience in Information Systems.

Love podcasts or audiobooks? Learn on the go with our new app.

Account Takeover on Mobile Apps

Let’s Parley Voo: A double scoop of awesome goodness for you

The failure of current digital identity management: 1 challenge, many solutions

The End Of Passwords As We Know It

{UPDATE} Fruit Link Fever Hack Free Resources Generator

How to Enhance Consumer Experience in Insurance Companies with CIAM

Datamine Lock-to-Mint Smart Contract Platform.

Big Zaddy Crypto — The new Official IRON protocol lead dev of Titan and IRON dao innovation and…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Robert Gilbert

Robert Gilbert

Robert Gilbert is an Information Security professional that specializes in Offensive Security, and has over 20 years experience in Information Systems.

More from Medium

CVE-2012–6342: Atlassian Confluence — Cross-Site Request Forgery (CSRF)

The Bucket’s Got a Hole in it

How to register and publish a Common Vulnerabilities and Exposures (CVE)

HTTP Request Smuggling on business.apple.com and Others.