Pre- and post-authentication vulnerabilities pose significant risks
A trio of authentication bypass vulnerabilities have been identified and resolved in the widely-used enterprise analytics platform, Yellowfin BI. These vulnerabilities originate from the use of hardcoded keys, exposing the platform to potential exploitation.
Initial research conducted by security experts from Assetnote revealed pre-authentication vulnerabilities, which later led to the discovery of a post-authentication pathway that allowed for command execution.
The vulnerabilities were reported by Max Garrett from Assetnote and have been assigned CVE identifiers, though CVSS scores are still pending.
Details of the Vulnerabilities
The vulnerabilities were uncovered through flaws in authentication logic. The first identified issue, CVE-2022-47884, involved a logic flaw that permitted unauthorized users to sign in, given that a signature check was successfully passed. According to a blog post by Garrett and Assetnote’s CTO, Shubham Shah, the hardcoded private RSA key meant that any user could bypass the signature check.
A second flaw was found within the JsAPI servlet, which allowed attackers to authenticate using the EXTAPI-IPID cookie, encrypted with a hardcoded user ID (CVE-2022-47885).
This technical flaw means someone familiar with the victim’s user ID could establish a valid session within that account, as per the blog’s explanation.
The third vulnerability (CVE-2022-47882) pointed out deficiencies in Yellowfin’s implementation of JWTs in their REST API. A valid refresh token ID combined with an extracted hardcoded key permitted users to generate a valid JWT as any user. However, this flaw was limited to privilege escalation since it required an already obtained refresh token ID from a successful login.
Once an authentication bypass was achieved, another vulnerability – CVE-2022-47883 – permitted attackers to execute remote code.
The researchers speculated about the potential for JNDI or JDBC injections to enable command execution within Yellowfin BI, which connects to arbitrary data sources. Their inquiries into the JNDI mechanism, utilizing a specific gadget, proved successful.
Assetnote has shared a complete proof-of-concept exploit chain available on GitHub.
The vulnerabilities were successfully mitigated in Yellowfin BI version 9.8.1.
Security Advice for Monolith Applications
Shah stated, “Our evaluations of enterprise applications often uncover hardcoded keys, resulting in severe security implications (similar to our discovery in VMware AirWatch). Although many enterprise products are challenging to acquire due to qualification and sales procedures, once access to source code is achieved, numerous critical vulnerabilities can often be readily exploited.”
Being a Java monolith application, Yellowfin requires researchers to adopt a methodical approach when navigating similar codebases. “Carefully outline the pre-authentication attack surface in detailed fashion,” they advised.
“Understand all accessible routes, both static and dynamic, and analyze which routes can be accessed without authentication.”
Post mapping pre-authentication routes, it’s crucial to “evaluate how user input is handled by these routes and identify which routes accept specific user input,” they added. This step is vital for uncovering vulnerabilities that require further exploration based on controller names or parameter identifiers.
RELATED NEWSAWS patches a bypass vulnerability in CloudTrail API monitoring tool
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/yellowfin-tackles-auth-bypass-bug-trio-that-opened-door-to-rce
