Extensis was described as ‘not receptive’ to disclosure and has allegedly not provided patches

Zero-day RCE flaw among multiple bugs found in Extensis Portfolio

Researchers have disclosed critical vulnerabilities in Extensis Portfolio, including a zero-day flaw that’s yet to be patched.

On February 17, White Oak Security researchers Michael Rand and Talis Ozols publicly disclosed vulnerabilities in digital asset management software Extensis Portfolio.

Extensis Portfolio comprises a user-facing main content management application, an administrator portal, and a content hosting application.

Take five

During an independent penetration test, the cybersecurity researchers uncovered an instance of the software, deployed online, with default administrator credentials in use.

After examining the security oversight further, the duo found they were able to achieve remote code execution (RCE) through an unrestricted file upload bug.

Read more of the latest infosec research news

This alleged zero-day was the first serious security flaw White Oak Security discovered.

The pen testers then examined the source code of Extensis Portfolio version 3.6.3 and found a total of five vulnerabilities that required immediate attention:

  • CVE-2022-24251 – RCE via unrestricted file upload
  • CVE-2022-24255 – Hardcoded credentials in the main and administrator portals (authentication bypass)
  • CVE-2022-24252 – Unrestricted file upload and path traversal error leading to RCE in the main portal
  • CVE-2022-24254 – Authenticated archive ‘zip-slip’, a directory traversal bug, exploitable for RCE
  • CVE-2022-24253 – Authenticated, but unrestricted file upload flaw in admin portal leading to RCE

CVE numbers have been assigned and are on a ‘reserved’ status at the time of writing. It is not known if any of these vulnerabilities are being exploited in the wild.

Disclosure difficulties

When it comes to vulnerability disclosure, many cybersecurity firms offer a 90-day window for vendors to triage and patch vulnerabilities once they have been reported.

Details of the flaws will then be made public, even if in a redacted fashion – a practice aimed at encouraging organizations to fix security issues found in their software in a timely manner.

In White Oak Security’s case, however, coordinated disclosure apparently proved to be difficult.

RECOMMENDED Critical vulnerabilities in Zabbix Web Frontend allow authentication bypass, RCE on servers

The researchers spent the month of August 2021 trying to contact the vendor through online forms, sales channels, and social media, only to be promised a security contact that never materialized.

The company was also told it could not contact Extensis “without an active contractual service agreement”.

It was not until September 29 that White Oak Security said it was able to contact the vendor – and only by leveraging a client contact.

According to the researchers’ disclosure timeline, Extensis confirmed receipt of the report and recommended that the team test Portfolio Server v.4.0.0, as some fixes had been issued after v.3.6.3.

However, things then became obscure. White Oak Security confirmed that the original RCE vulnerability was unpatched in v4.0.0, and after requesting further information from the vendors on the fixes, there was radio silence.

‘No patch available’

On October 22, the cybersecurity researchers told Extensis that four other critical vulnerabilities also needed to be resolved, and while the vendor provided mitigation options for the unrestricted file upload bug, the company allegedly refused to give a timeline for any further fixes.

A total of 164 days passed since disclosure before the researchers decided to take their findings public. According to White Oak Security, Extensis said “these security issues had not been prioritized and Extensis did not have an expected date for remediation”.

As of February 17, the cybersecurity team says that Extensis “has not provided White Oak Security any indication that these vulnerabilities will be fixed”.

“Unfortunately, Extensis was not receptive to the disclosure of these vulnerabilities and has not made a patch available at this time,” the researchers say. “As such, White Oak Security is compelled to disclose these issues publicly.”

The Daily Swig has reached out to Extensis with additional queries and we will update if and when we hear back.

In response to our queries this week, a White Oak spokesperson told us: “There hasn’t been any further contact with White Oak from Extensis at this point, but we're hoping that’s because they are working on the issues.”

This article was updated on February 23 with additional comment from the reseachers.

YOU MIGHT ALSO LIKE Ghostbuster – AWS security tool protects against dangling elastic IP takeovers