The error disclosure process in HCL DX (formerly known as WebSphere Portal) seems to be a problem
According to the researchers, HCL Digital Experience (DX) is a platform for building and managing portal websites, which contains multiple vulnerabilities that may lead to remote code execution (RCE).
However, the supplier HCL Technologies stated that it was unable to reproduce these errors-all server-side request forgery (SSRF) flaws-according to a report Blog post Published by Assetnote, an Australian attack surface management company.
Assetnote also stated that HCL Technologies, the CVE numbering authority, refused to submit CVEs until remedial measures were taken.
WebSphere portal
Hydrochloric acid DX Before the Indian IT multinational company HCL Technologies acquired the software from IBM in 2019, it was called WebSphere Portal and Web Content Manager.
Hydrochloric acid technology List Users of the platform include the New York State Senate, Bank of Canada and MidMichigan Health.
Assetnote researchers have detected about 3,000 instances of Internet-facing platforms.
According to Assetnote, the alleged vulnerability affects Websphere Portal 9 and possible newer versions.
‘Very naive’
Shubham Shah, Assetnote’s co-founder and CTO, wrote that after discovering an endpoint that allowed them to redirect requests to arbitrary URLs, the researchers “turned a restrictive, bad SSRF into a good SSRF.” Smuggle this “redirect gadget” into the original SSRF payload and open the chart in a new tab.
After accessing the source code, Shah said that the researchers “found something that seemed very naive, and frankly, we couldn’t understand why it exists”: a network proxy system deployed by default, but limited to a few “trusted” sites. point.
Read more latest corporate security news
One such trusted endpoint-https://ift.tt/3FCeNtn Lotus Domino to deliver content to users. ” [It] result, You can click on any Lotus Domino page to redirect the URL to the URL specified in the parameter,” Shah said.
As a result, an attacker can “turn to the internal network and/or request cloud metadata endpoints to obtain cloud credentials”, according to Security Consultation Published by Assetnote.
Shah said that unauthenticated attackers can also upload malicious zip files to achieve command execution, which is susceptible to directory traversal during extraction, so it is easy to upload arbitrary files.
“For whatever reason, if users can write scripts or adjust existing scripts, then RCE is possible,” Shah said.
Disclosure schedule
Assetnote stated that it disclosed its findings to HCL Technologies on September 5 and notified them that it intends to publicly disclose the research on December 5, in line with its 90-day responsible disclosure policy.
According to Assetnote’s timeline, the vendor confirmed the first contact on September 7 and stated on November 8 that it was unable to reproduce these vulnerabilities.
Shah claimed that HCL Technology stated on November 23 (its most recent communication) that if they do, “HCL Technology will cite you as an irresponsible vulnerability disclosure party to the community to which we posted.”
After several reminders about the information disclosed for 90 days, Assetnote finally issued an announcement on December 25 and a blog post on December 26.
Alleviate
Shah said that WAF rules cannot be relied on to prevent exploitation of these flaws. Instead, he recommends that users modify all the files in their Websphere Portal installation so that no sources are whitelisted, and delete many of the folders listed in the blog post, provided their functionality is not needed.
He added that the attack surface of WebSphere Portal is “broad and diverse,” and “there are more vulnerabilities yet to be discovered.”
The Shah of Assetnote told Drink it every day On December 29, he did not add anything to his published blog post at this time.
HCL Technologies has not yet responded to our follow-up questions, but we will update the article when they respond.
Respected Swig Security Review 2021-Part One
