Skip to content

Privilege escalation through CSRF attack on 'setup.pl'

High
ehuelsmann published GHSA-98ff-f638-qxjm Feb 2, 2024

Package

LedgerSMB

Affected versions

1.3.0-1.3.47,1.4.0-1.4.42,1.5.0-1.5.30,1.6.0-1.6.33,1.7.0-1.7.32,1.8.0-1.8.31,1.9.0-1.9.30,1.10.0-1.10.29,1.11.0-1.11.8

Patched versions

1.10.30, 1.11.9

Description

Summary:

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent. This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.

Known vulnerable:

All of:

  • 1.3.0 up to 1.3.47 (including)
  • 1.4.0 up to 1.4.42 (including)
  • 1.5.0 up to 1.5.30 (including)
  • 1.6.0 up to 1.6.33 (including)
  • 1.7.0 up to 1.7.32 (including)
  • 1.8.0 up to 1.8.31 (including)
  • 1.9.0 up to 1.9.30 (including)
  • 1.10.0 up to 1.10.29 (including)
  • 1.11.0 up to 1.11.8 (including)

Known fixed:

  • 1.10.30
  • 1.11.9

Details:

CSRF is an attack that tricks the victim into submitting a malicious request. It
inherits the identity and privileges of the victim to perform an undesired function
on the victim’s behalf 1.

To successfully perform the attack, an attacker needs to know the name of the database
for which they want to create a user. That is: in case LedgerSMB is used to maintain
multiple company administrations, multiple attacks need to be performed to gain access
to all of them. A single attack will gain access to a single company only, however, if
companies share users, the attacker can use those to gain access to the other companies
with the rights of the affected user accounts.

In this specific attack, the victim must be an administrator of /setup.pl with an
active session. It should be noted that the resulting user does not have full
access to /setup.pl, but does have full access to /login.pl for a single company.
This means that the resulting user can therefore not be used to create database backups,
however the attack itself can be used by the attacker to perform any action supported
by setup.pl.

Severity:

CVSSv3.1 Base Score: 7.5 (HIGH)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1

Recommendations:

We recommend all users to upgrade to known-fixed versions. Versions
prior to 1.10 are end-of-life and will not receive security fixes from
the LedgerSMB project.

Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.

As a workaround, installations may choose not to expose and use /setup.pl,
instead using the command line application "ledgersmb-admin" to perform
administrative tasks. Password resets can be performed with regular
/login.pl functionality or through PostgreSQL's "psql" command line tool.

References:

CVE-2024-23831 (LedgerSMB)

https://ledgersmb.org/cve-2024-23831-setup-csrf

https://twelvesec.com/2024/02/02/cve-2024-23831

Reported by:

Georgios Roumeliotis (TwelveSec [twelvesec.com])

Footnotes

  1. https://owasp.org/www-community/attacks/csrf

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-23831

Weaknesses