Connect with us

Business

HCL DX vendor ‘could not reproduce’ allegedly critical vulnerabilities

Published

on

HCL Digital Experience (DX), a platform for building and managing web portals, contains multiple vulnerabilities that could potentially lead to remote code execution (RCE), researchers claim.

However, the vendor, HCL Technologies, said it could not reproduce the bugs – all server-side request forgery (SSRF) flaws – according to a blog post published by Australian attack surface management firm Assetnote.

Assetnote also said that HCL Technologies, a CVE Numbering Authority, has declined to file CVEs until remediation steps are available.

WebSphere Portal

HCL DX was known as WebSphere Portal and Web Content Manager until HCL Technologies, an Indian IT multinational, acquired the software from IBM in 2019.

HCL Technologies lists the New York State Senate, Bank of Canada, and MidMichigan Health among the platform’s users.

Assetnote researchers have detected around 3,000 internet-facing instances of the platform.

The alleged vulnerabilities affect Websphere Portal 9 and potentially newer releases, according to Assetnote.

‘Extremely naive’

Shubham Shah, co-founder and CTO of Assetnote, wrote that the researchers “turned a restrictive, bad SSRF to a good SSRF” after discovering an endpoint which allowed them to redirect requests to an arbitrary URL, smuggling this ‘redirect gadget’ into the original SSRF payload, and open a diagram in a new tab.

After accessing the source code, Shah said the researchers “found something that seemed extremely naive and frankly, we couldn’t understand why it existed in the first place”: a web proxy system deployed by default but limited to a few ‘trusted’ sites.

One such trusted endpoint – http://www.redbooks.ibm.com/* – ran Lotus Domino to deliver content to users.” [It] turns out, you can slap on ?Logout&RedirectTo=http://example.com to any Lotus Domino page to cause a URL redirection to the URL specified in the RedirectTo parameter,” said Shah.

As result, an attacker could “pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials”, according to a security advisory published by Assetnote.

Unauthenticated attackers could also achieve command execution by uploading a malicious zip file which, when extracted, is vulnerable to directory traversal and therefore arbitrary file upload, said Shah.

“If, for whatever reason, a user is able to write an ifcfg-<whatever> script to /etc/sysconfig/network-scripts or it can adjust an existing one, then RCE is possible,” said Shah.

Disclosure timeline

Assetnote said it disclosed its findings to HCL Technologies on September 5, notifying them that they intended to publicly disclose the research on December 5, in line with its 90-day responsible disclosure policy.

After acknowledging this first contact on September 7, the vendor then said on November 8 that it had been unable to reproduce the vulnerabilities, according to Assetnote’s timeline.

Shah claimed that HCL technologies said on November 23 – its most recent communication – that if they did so “HCL technologies will cite you as in irresponsible vulnerability disclosure party to the communities that we post to”.

After several reminders about 90-day disclosure, Assetnote eventually published the advisory on December 25 and blog post on December 26.

Mitigation

Shah said WAF rules cannot be relied on to prevent exploitation of the flaws. Instead, he advised users to modify all proxy-config.xml files in their Websphere Portal installation so that no origins are whitelisted, and to remove a number of folders, as listed in the blog post, providing their functionality is not needed.

The attack surface for WebSphere Portal “is vast and diverse” and “there are many more vulnerabilities yet to be found”, he added.

Assetnote’s Shah told The Daily Swig on December 29 he had nothing to add to its published blog post at this time.

HCL Technologies has yet to reply to our follow-up questions but we will update the article if and when they do so.

Source: https://portswigger.net/daily-swig/hcl-dx-vendor-could-not-reproduce-allegedly-critical-vulnerabilities

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO