Serious Snipe-IT bug exploitable to send password reset email traps

2 years ago 210
BOOK THIS SPACE FOR AD
ARTICLE AD

Charlie Osborne 05 May 2022 at 09:47 UTC

Attackers could use the flaw to steal credentials with no authentication required

Serious Snipe-IT bug exploitable to send password reset email traps

Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests.

Grokability’s Snipe-IT is a cloud-based, open source project for user asset management.

The popular system has been designed to replace sometimes clunky and ineffective Excel spreadsheets and accounts for roughly 3.4 million users, as well as over 6.7 million managed assets.

RECOMMENDED Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

Snipe-IT’s GitHub repository has over 200 contributors and over 2,100 forks at the time of writing. Adopters can choose to have their Snipe-IT builds hosted by Grokability or they can manage it themselves.

On May 2, the project disclosed CVE-2022-23064, a critical vulnerability that has been awarded a CVSS severity score of 8.8.

Server-side woes

The vulnerability is described as a host header injection bug. Host header issues occur when server communication is handled in an unsafe way and can lead to a variety of problems including web cache poisoning, server-side request forgery (SSRF), or SQL injection attacks.

In Snipe-IT’s case, CVE-2022-23064 allowed attackers to send crafted host headers to the reset password request functionality of the system.

Target users could be sent password reset links that would, once clicked, lead them to an attacker-controlled server rather than a trusted domain managed by Snipe-IT users.

Read more of the latest security research news from around the world

The developers say that it would then be possible to steal password reset tokens, leading to account hijacking.

According to White Source, an example attack scenario is an attacker selecting ‘I forgot my password’ and submitting the selected victim’s username.

The request would be intercepted after clicking ‘email password reset’, and the host header would then be modified. If the would-be victim clicks the email link, complete with a modified base URL, the reset token is then logged and compromised.

Protect your targets

While user interaction is required to trigger a cyber-attack, no authentication or privileges are required to exploit the flaw.

Snipe-IT versions 3.0-alpha to v5.3.7 are vulnerable. Users are urged to upgrade to at least version v5.3.8.

One of the latest builds available – v.5.4.3 (v.5.4.4 was released on May 4) – also includes a patch to resolve a potential cross-site scripting (XSS) vulnerability in user requestable results.

Speaking to The Daily Swig, Grokability CTO Brady Wetherington said there is no evidence of any in-the-wild exploits. Furthermore, “our hosted platform was never vulnerable to the exploit, due to its configuration”.

YOU MIGHT ALSO LIKE State Bar of Georgia reels from cyber-attack

Read Entire Article