This week, we have three vulnerabilities: the first in the Cisco Expressway Series and TelePresence video communications service, another vulnerability in self-managed GitLab instances, and a bug affecting a campus access control system. On top of this, we also have views on privacy concerns for APIs.
Vulnerability: Patches for critical issues in Cisco video communications services
This week, Cisco has disclosed two critical flaws affecting their Expressway Series and TelePresence video communications service. The issues are tracked as CVE-2022-20754 and CVE-2022-20755, both scoring high on CVSS at 9.0.
The first vulnerability allowed an authenticated user with read/write access to perform path traversal attacks using the cluster database API. An attacker could use this vulnerability to overwrite arbitrary files on the operating system potentially leading to device takeover. The vulnerability was caused by a failure to fully validate the input that users supplied to the API — a form of injection attack.
The second vulnerability was a command injection vulnerability on the web-based management interface that allowed authenticated users to perform arbitrary command execution. Again, the root cause is insufficient input validation.
Cisco confirmed that they have no evidence that either vulnerability was exploited on live systems, but have nevertheless advised customers to upgrade their systems to the latest version to minimize the likelihood of any exploit.
Vulnerability: Security vulnerability in self-managed GitLab instances
Self-managed versions of the popular CI/CD platform GitLab are vulnerable to attack through a GraphQL API, according to research published this week in TheHackerNews. The vulnerability is tracked as CVE-2021-4191, with a CVSS score of 5.3.
The vulnerability was discovered and reported by a security researcher at Rapid7, and initially disclosed on 18 February 2021. It has been patched in a recent update from GitLab, and all users on self-managed instances are advised to update their installations as soon as possible.
The vulnerability allowed an unauthenticated user (API2:2019 — Broken authentication) to access a GraphQL endpoint and collect private information of other registered users, such as names and email addresses. These details could be invaluable to attackers performing initial reconnaissance of installations, leading to brute-forcing or guessing of passwords.
Estimates suggest that a large number of GitLab installations could be affected by this vulnerability.
Vulnerability: Security bug affects campus access control system
The third and final vulnerability this week affects an access control system for a campus: a curious user discovered that the backend API of the mobile application did not authenticate users (another case of API2:2019 — Broken authentication). Effectively, this vulnerability gave an attacker a “master key” to all doors controlled by the system.
University student Erik Johnson had become frustrated at the poor performance of the GET Mobile application that controlled access to campus buildings, and used elementary network monitoring to understand the behavior of the application. He discovered that he had to submit location coordinates to validate proximity with the targeted door, but this could easily be spoofed through an API.
Johnson then made a startling observation: the API endpoints did not actually validate a student’s credentials. This meant that anyone who knew easily available identifiers (like student IDs, usernames, or email addresses) could access the target’s account, which together with the ability to unlock doors at known locations resulted in a digital “master key”.
Johnson attempted to report the vulnerability to the solution developer CBORD, but hit a wall there so resorted to disclosure through TechCrunch. Reports suggest the same company has been affected by a similar vulnerability in 2009.
This vulnerability has since been acknowledged and fixed by CBORD, who has also revoked all session keys of affected systems. It is unknown whether the bug was exploited for any malicious access, or whether users have been informed of the issue.
Article: Privacy becomes an increasing concern for APIs
Finally this week we feature an article highlighting the growing concerns on data privacy in relation to APIs. The principal function of an API is as a conduit for data. With increasing connectivity and API growth, APIs are becoming the number one attack vector for information breaches.
The underlying causes of information breaches in APIs include, for example:
- Broken or missing user authentication (this week we featured two instances of API2:2019 — Broken authentication)
- Poorly implement access controls, either at the function or object level
- Incomplete inventory or asset management
- Failures in data classification and access controls
- Poor governance
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy