Disclosure process for bugs in HCL DX – formerly WebSphere Portal – initially went awry
UPDATED HCL Digital Experience (DX), a platform for building and managing web portals, contained multiple vulnerabilities that could potentially lead to remote code execution (RCE), researchers claim.
The vendor, HCL Technologies, initially said it could not reproduce the bugs – all server-side request forgery (SSRF) flaws – according to a blog post published by Australian attack surface management firm Assetnote.
However, HCL Software, a division of HCL Technologies, eventually released a security advisory with patches detailed for an SSRF flaw, crediting Shah, and a separate inefficient regular expression vulnerability on December 30, five days after Assetnote’s disclosure.
Brian Blackshaw, director of PSIRT Operations at HCL Software, told The Daily Swig: “It’s our policy to disclose as soon as remediation/mitigation is available.”
HCL DX was known as WebSphere Portal and Web Content Manager until HCL Technologies, an Indian IT multinational, acquired the software from IBM in 2019.
HCL Technologies lists the New York State Senate, Bank of Canada, and MidMichigan Health among the platform’s users.
Assetnote researchers detected around 3,000 internet-facing instances of the platform.
The vulnerabilities affect Websphere Portal 9 and potentially newer releases, according to Assetnote.
Shubham Shah, co-founder and CTO of Assetnote, wrote that the researchers “turned a restrictive, bad SSRF to a good SSRF” after discovering an endpoint which allowed them to redirect requests to an arbitrary URL, smuggling this ‘redirect gadget’ into the original SSRF payload, and open a diagram in a new tab.
After accessing the source code, Shah said the researchers “found something that seemed extremely naive and frankly, we couldn’t understand why it existed in the first place”: a web proxy system deployed by default but limited to a few ‘trusted’ sites.
One such trusted endpoint – http://www.redbooks.ibm.com/* – ran Lotus Domino to deliver content to users.” [It] turns out, you can slap on ?Logout&RedirectTo=http://example.com to any Lotus Domino page to cause a URL redirection to the URL specified in the RedirectTo parameter,” said Shah.
As result, an attacker could “pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials”, according to a security advisory published by Assetnote.
Unauthenticated attackers could also achieve command execution by uploading a malicious zip file which, when extracted, is vulnerable to directory traversal and therefore arbitrary file upload, said Shah.
“If, for whatever reason, a user is able to write an ifcfg-<whatever> script to /etc/sysconfig/network-scripts or it can adjust an existing one, then RCE is possible,” said Shah.
Assetnote said it disclosed its findings to HCL Technologies on September 5, notifying them that they intended to publicly disclose the research on December 5, in line with its 90-day responsible disclosure policy.
After acknowledging this first contact on September 7, the vendor then said on November 8 that it had been unable to reproduce the vulnerabilities, according to Assetnote’s timeline.
Shah claimed that HCL technologies said on November 23 – its most recent communication – that if they did so “HCL technologies will cite you as in irresponsible vulnerability disclosure party to the communities that we post to”.
Assetnote eventually published the advisory on December 25 and blog post on December 26, and the patches landed on December 30.
In lieu of updating systems, Shah said WAF rules cannot be relied on to prevent exploitation of the flaws. Instead, he advised users to modify all proxy-config.xml files in their Websphere Portal installation so that no origins are whitelisted, and to remove a number of folders, as listed in the blog post, providing their functionality is not needed.
The attack surface for WebSphere Portal “is vast and diverse” and “there are many more vulnerabilities yet to be found”, he added.
Assetnote’s Shah told The Daily Swig on December 29 he had nothing to add to its published blog post at this time.
This article was updated on January 2 with details of patches and comment from HCL Software’s PSIRT team
RECOMMENDED Swig Security Review 2021 – Part I