{"id":19318,"date":"2022-06-13T05:10:04","date_gmt":"2022-06-13T13:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/13\/news-13051\/"},"modified":"2022-06-13T05:10:04","modified_gmt":"2022-06-13T13:10:04","slug":"news-13051","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/06\/13\/news-13051\/","title":{"rendered":"Serious vulnerabilities found in ITarian software, patches available for SaaS products"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Mon, 13 Jun 2022 12:25:19 +0000<\/strong><\/p>\n<p>Dutch research group <a href=\"https:\/\/csirt.divd.nl\/cases\/DIVD-2021-00037\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">DIVD has identified multiple vulnerabilities<\/a> in ITarian products. In cooperation with DIVD, ITarian has made patches available to deal with these vulnerabilities for its SaaS platform.<\/p>\n<p>Software as a service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the internet.<\/p>\n<h2>ITarian<\/h2>\n<p>ITarian is a remote access and IT management solution, which helps organizations connect and communicate with their clients and employees. It&#8217;s typically the sort of tool that Managed Service Providers (MSPs) use to remotely manage their clients.<\/p>\n<h2>DIVD<\/h2>\n<p>The Dutch Institute for Vulnerability Disclosure (DIVD) reports vulnerabilities it finds in digital systems to the people who can fix them. It has a global reach, and tries to resolve the vulnerabilities by collaborating with the affected parties. Its services are free and most of the staff work in their free time.<\/p>\n<p>You may have heard about DIVD in our <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2021\/07\/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients\/\">reports<\/a> about the Kaseya supply chain attack, or when Victor Gevers, chair of DIVD, appeared as a guest in our <a href=\"https:\/\/blog.malwarebytes.com\/podcast\/2021\/07\/seven-or-eight-zero-days-kaseya-vsa-victor-gevers-lock-and-code-s02e13\/\">Lock and Code podcast<\/a> about Kaseya.<\/p>\n<h2>Affected products<\/h2>\n<p>The vulnerabilities affect the following products:<\/p>\n<ul>\n<li>ITarian SaaS platform (version &lt; 3.49.0): <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-25151\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2022-25151<\/a>, &nbsp;<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-25152\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2022-25152<\/a> and a <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/cross-site-scripting-xss\/\">Cross-Site Scripting (XSS)<\/a> vulnerability in the helpdesk function.<\/li>\n<li>ITarian on-premise (version 6.35.37347.20040): CVE-2022-25151 and CVE-2022-25152.<\/li>\n<li>Endpoint Manager Communication Client (version &lt; 7.0.42012.22030): <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-25153\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2022-25153<\/a><\/li>\n<\/ul>\n<h2>The vulnerabilities<\/h2>\n<p><strong>CVE-2022-25151<\/strong>: Within the Service Desk module of the ITarian platform (both SaaS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful XSS attack on a user.<\/p>\n<p>CVE-2022-25152: The ITarian platform (both SaaS and on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor, with a valid session token, can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.<\/p>\n<p>CVE-2022-25153: The ITarian Endpoint Manage Communication Client, prior to version 6.43.41148.21120, is compiled using insecure OpenSSL settings. Due to this setting, a malicious actor with low privileges access to a system can escalate his privileges to SYSTEM abusing an insecure openssl.conf lookup.<\/p>\n<p>OpenSSL is an open source implementation of the SSL\/TLS protocol. Applications use this library to secure communications over computer networks against eavesdropping, or to identify the party at the other end.<\/p>\n<h2>Cooperation and responsible disclosure<\/h2>\n<p>The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152, an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges.<\/p>\n<p>It took a bit of back and forth, but once the DIVD researchers and ITarian\u2019s software engineering team connected directly, a solution for the issues quickly came about. On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities saw a solution come to live on May 19, 2022.<\/p>\n<p>Planning for the full disclosure by DIVD indicates a date of July 1, 2022. The waiting time before full disclosure is to give users enough time to take appropriate measures.<\/p>\n<h2>Mitigation<\/h2>\n<p>Version v3.49.0 includes patches for the vulnerabilities in the SaaS service. ITarian controls the upgrade to this version, so it requires no user action.<\/p>\n<p>It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed DIVD that it will not be updated. Given the severity (9.9 out of 10) of the vulnerability listed as CVE-2022-25152, users of the on-premise version should look for alternative solutions since this solution has reached end-of-life (EOL).<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/06\/serious-vulnerabilities-found-in-itarian-software-patches-available-for-saas-products\/\">Serious vulnerabilities found in ITarian software, patches available for SaaS products<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/06\/serious-vulnerabilities-found-in-itarian-software-patches-available-for-saas-products\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Mon, 13 Jun 2022 12:25:19 +0000<\/strong><\/p>\n<p>Researchers at DIVD found vulnerabilities in ITarian products and worked with the vendor to develop patches. These patches are now available.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/06\/serious-vulnerabilities-found-in-itarian-software-patches-available-for-saas-products\/\">Serious vulnerabilities found in ITarian software, patches available for SaaS products<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[26506,26507,26508,26509,22783,26510,12756,12721,15775],"class_list":["post-19318","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve-2022-25151","tag-cve-2022-25152","tag-cve-2022-25153","tag-divd","tag-exploits-and-vulnerabilities","tag-itarian","tag-msp","tag-saas","tag-xss"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19318"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19318\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}