Summary:
In the first week of April, amidst of global lockdown environment, multiple vulnerabilities that includes information disclosure as well as privilege escalation that leads to remote code execution (RCE) were observed in Deskpro. These issues were classified into CWE-200 and CWE-269 that exists in Deskpro prior to 2019.8.0.
The /api/email_accounts endpoint failed to properly validate a user’s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user’s password.
Description:
With much sensitive information exchanged between agents and clients, it makes DeskPro the perfect target for an adversary targeting the organization., as authentication is not required to access and exploit the vulnerability. Technically there is no complete POC available at this moment over the wild.
Before getting into the vulnerability and possible exploitability details, here’s a quick summary of all CVEs mentioned in Deskpro update:
- CVE-2020-11463 DESKPRO PRIOR 2019.8.0 /API/EMAIL_ACCOUNTS PRIVILEGE ESCALATION
- CVE-2020-11464 DESKPRO PRIOR 2019.8.0 ENDPOINT /API/PEOPLE INFORMATION DISCLOSURE
- CVE-2020-11465 DESKPRO PRIOR 2019.8.0 HELPDESK APPLICATION /API/APPS/ INFORMATION DISCLOSURE
- CVE-2020-11466 DESKPRO PRIOR 2019.8.0 ENDPOINT /API/TICKETS INFORMATION DISCLOSURE
- CVE-2020-11467 DESKPRO PRIOR 2019.8.0 HELPDESK INTERFACE TEMPLATE-SOURCES CODE REMOTE CODE EXECUTION
CVE-2020-11643 & CVE-2020-11647 were classified into CWE-269, meaning it is going to have an impact on confidentiality, integrity, and availability. Remaining three CVEs mentioned above falls under CWE-269 impacting confidentiality of Deskpro systems.
However, multiple API endpoints were found to have a problem properly validating user’s privilege, giving a normal user arbitrary unauthorized access to various actions and information.
/api/email_accounts – (CVE-2020-11463)
Retrieve plaintext credentials of all helpdesk email accounts, including incoming and outgoing email credentials
/api/people – (CVE-2020-11464)
Retrieve sensitive information about all users registered on the system. This includes their full name, privilege, email address, phone number and such sensitive personal information.
/api/apps/* – (CVE-2020-11465)
Controlling/installing helpdesk applications, leaking current applications’ configurations, including applications used as user sources (used for authentication) such as JWT. This enables an attacker to forge valid authentication models that resembles any user on the system (Privilege Escalation).
/api/tickets – (CVE-2020-11466)
Retrieve sensitive information about all helpdesk tickets stored in database with numerous filters. Additionally, it leaks ticket auth code, making it possible to make changes to the ticket.
In order to establish our attack scenario, we need a valid user account, which we can easily obtain via self-registration at https://support.bitdefender.com/en/register.
Affected Products:
Deskpro versions prior to 2019.8.0
Advisory:
https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09
https://support.deskpro.com/en/news/posts/deskpro-v2019-8-0-released-security-update
Mitigation:
Deskpro has updated the patch and released for CVE-2020-11463,CVE-2020-11464,CVE-2020-11465,CVE-2020-11466 and CVE-2020-11467.
Qualys customers can scan their network with QID(s)# 13715 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study/
- https://support.deskpro.com/en/news/posts/deskpro-security-update-2019-09