Cybercom uncovered multiple flaws in a Swedish CMS platform named SiteVision, developed by SiteVision AB. The vulnerabilities were disclosed to the vendor, who could then start working on an update. This disclosure is done a couple of months after the patch was released, in order to give organisations using the product ample time to update.
No need for tinfoil hats when it comes to application security, we're all too painfully aware of what can happen. From data breaches to destructive attacks, the potential impacts couldn't be clearer.
Web applications in particular are interesting because of their exposed position -- it's not uncommon for sensitive web applications to be secured "only" by their application logic.
This means that a logical flaw in one of the functions, be it the login function, authorisation function, or access control function, could have a devastating impact.
Application Security Audits
Cybercom Secure help organisations improve their security through various engagements. On the technical side, Cybercom Secure perform vulnerability assessments, penetration testing, as well as training and related consultancy.
Penetration testing is a common method to assess the "security" of an application or system, as it entails trying to break in or perform unwanted actions. The result is that application owner, be it the developer or whoever bought the software, gains a better understanding of what flaws are present.
The final report will, almost always, include recommendations on how to fix the underlying problem, or otherwise lessen the risk level.
What it means for you who purchase software solutions and applications
The proverb "trust, but verify" (or perhaps "never trust, always verify") is applicable to application security because of two unfortunate reasons:
- It is easy to save effort on not doing "proper" security testing; and
- The product might be secure, but your deployment and install might not.
I put "proper" in quotation marks, because what is a reasonable level of security for one organisation may not be acceptable for another. The depth of analysis and testing is tied to the level of verification required.
Unfortunately, this might mean that the risk appetite and security level of the vendor does not match that of your organisation. It doesn't mean that the vendor didn't do an okay job of securing their product, but the extent to which they did may not be sufficient for you.
Always verify according to your needs.
Vulnerabilities in a Swedish CMS Solution
SiteVision is a CMS platform used by quite a few Swedish organisations, which is no surprise since they focus on ease-of-use for the users. The most common type of user is the editor (sv. Redaktör), who has the ability to add, remove, and edit content.
SiteVision has built-in support for workflows, e.g. an edited page could require approval before the changes are published externally. This together with the role-based permission system and external authentication makes it a quite nice solution.
While the front-end used by editors and administrators only allow the user to access the things they are allowed to, the back-end is a different story. In short, the software running on the server trusts the user a bit too much in some situations.
It trusts and does not verify.
IT security consultant and security researcher Oscar Hjelm disclosed to the vendor SiteVision AB how two of these flaws could be used in conjunction to run code on the server as root -- the main administrative user on Linux servers.
An editor, who should normally only be able to use pre-defined templates, and access pre-allowed building blocks such paragraphs and images, could tell the CMS application to insert any component (CVE-2019-12734). These components can allow the editor to insert raw HTML, or script content.
Once inserted, it is also possible to edit these components. Neither the UI or the back-end stopped a user from updating a component they did not have the permission to create.
These two flaws can be used to run code on the server (CVE-2019-12733). First, the editor opts to add a script component. They can then, with this high-privilege component, define whatever code should be executed.
The editor can from here perform any action on the system, because the SiteVision application is by default set up to run as root on the server. Everything from extracting usernames and passwords to erasing the hard drive is possible.
What to do
Are you running SiteVision? Update your installation to at least 4.5.6 or 5.1.1. You don't have to do anything if you're running their cloud variant.
Review what security requirements you and your organisation have -- are they being adequately met by your vendors? Are you and your vendors aligned when it comes to risk appetite? Can you benefit from having a security health check?
Trust. But also verify.
Release notes for version 4.5.6
Release notes for version 5.1.1