Three flaws, including pre-auth attack that could expose user credentials, patched in visualization software
UPDATED Security testing firm Bishop Fox has found three vulnerabilities in business intelligence software DigDash Enterprise, including a server-side request forgery (SSRF) flaw.
The SSRF vulnerability, rated high risk, allowed the disclosure of a service password that could enable an attacker to access user credentials stored in the platform's authentication service.
“This authentication service contains information about all users,” Florian Nivette, a managing security associate at Bishop Fox, told The Daily Swig.
“The server-side request forgery is a pre-authentication attack located on the login page - accessible without an account,” he said in an advisory on the Bishop Fox website.
“The SSRF disclosed credentials in use by the application and was used to scan the internal network of the application.”
Turning the application into a proxy
The issue occurred when a server sent a malicious HTTP request on behalf of a user, with the vulnerability turning a web application into a proxy. This meant that requests could be routed through the application to a destination of the attacker’s choice.
Using this redirected request, service credentials could then be extracted and used to authenticate onto internal services in the DigDash application, according to researchers.
Bishop Fox also uncovered a medium-risk content injection vulnerability via which an attacker could control the user experience of an application.
DigDash allows users to inject into a JNLP file used to run a local Java application. The security flaw meant an attacker could change the service IP address contained in the JNLP file and force the user to execute a malicious Java-packaged application on his or her computer.
“An attacker could exploit this vulnerability by inserting or modifying the video, audio, images, links, or text displayed to users," Nivette warned.
“Content injection vulnerabilities in trusted applications are useful for distributing arbitrary content that would appear genuine to users.”
This was “harder to trigger” than the SSRF bug “as it requires that the victim use the JNLP and be able to deliver a Jar file signed and trusted by the client operating system,” Nivette told The Daily Swig. “But if it does, the attacker will have the possibility to execute code on the victim host.”
The vulnerabilities were discovered at the end of January and reported to DigDash on February 3. A patch was released for version 2018R2 and 2019R1 to address the SSRF on February 10, with a patch for version 2018R2, 2019R1, 2019R2 and 2020R1 addressing the XSS and content injection released at the end of May.
The vulnerabilities were publicly disclosed this week.
Nivette said the disclosure process “went really well; the DigDash team was responsive and provided useful details to add to the responsible disclosure document.”
The Daily Swig has contacted DigDash for further comment.
This article was updated on June 18 with comments from Florian Nivette of Bishop Fox.