Researchers say that HCL Digital Experience (DX), a platform for creating and administering online portals, contains several vulnerabilities that might lead to remote code execution (RCE). According to a blog post published by Australian attack surface management firm Assetnote, the vendor, HCL Technologies, initially indicated it couldn’t duplicate the problems, which were all server-side request forgery (SSRF) flaws.
On December 30, five days after Assetnote’s disclosure, HCL Software, a division of HCL Technologies, issued a security advisory with remedies for an SSRF bug credited to Shah and a related inefficient regular expression vulnerability.
“It’s our policy to share as soon as remediation/mitigation is possible,” Brian Blackshaw, director of PSIRT Operations at HCL Software, told The Daily Swig.
Portal powered by Web Sphere
Until HCL Technologies, an Indian IT conglomerate, bought the product from IBM in 2019, it was known as WebSphere Portal and Web Content Manager.
The New York State Senate, the Bank of Canada, and MidMichigan Health are among the platform’s users, according to HCL Technologies.
Aound 3,000 internetfacing instances of the platform were discovered by Assetnote researchers.According to Assetnote, the vulnerabilities affect Websphere Portal 9 and perhaps newer release.
Trustful Approach
Shubham Shah, co-founder and CTO of Assetnote, reported that the researchers had “turned a restrictive, bad SSRF into a good SSRF” by finding an endpoint that allowed them to redirect requests to an arbitrary URL, smuggle this ‘redirect gadget’ into the original SSRF payload, and open a diagram in a new tab.
According to Shah, the researchers “found something we couldn’t understand why it existed in the first place, as we found it to be extremely naive”: a web proxy system set up by default, but only for a few ‘trusted’ websites.
http://www.redbooks.ibm.com/* was one such trusted endpoint that used Lotus Domino to provide content to consumers.
“It turns out that you can slap on?
To initiate a URL redirection to the URL supplied in the RedirectTo argument, logout&RedirectTo=http://example.com to any Lotus Domino page,” Shah explained. According to a security advisory provided by Assetnote, an attacker might “pivot to the internal network and/or access cloud metadata endpoints to gain cloud credentials.”
According to Shah, unauthenticated attackers might potentially gain command execution by submitting a malicious zip file that, once unpacked, is subject to directory traversal and hence arbitrary file upload.
“If a user can write an ifcfg-whatever> script to /etc/sysconfig/network-scripts or alter an existing one for whatever reason, then RCE is conceivable,” Shah explained.
Timeline that gets exposed
Assetnote said it informed HCL Technologies of its findings on September 5, notifying them that the research would be made public on December 5, in accordance with its 90-day responsible disclosure policy.
According to Assetnote’s schedule, after acknowledging the first communication on September 7, the vendor responded on November 8 that it had been unable to duplicate the vulnerabilities.
HCL Technologies indicated on November 23 – its most recent message – that if they did, “HCL technologies will cite you as an irresponsible vulnerability disclosure party to the communities that we post to,” according to Shah.The advice and blog post were published on December 25 and December 26, respectively, and the fixes were released on December 30.
Safer Action
In the absence of system updates, Shah claims that WAF rules cannot be relied on to prevent the holes from being exploited.
Instead, he recommended that customers change all proxyconfig.xml files in their Websphere Portal installation so that no origins are whitelisted, and that they remove a number of folders listed in the blog post if their functionality is no longer required.He went on to say that the attack surface for WebSphere Portal is “vast and diverse,” and that “many more vulnerabilities need to be discovered.”
On December 29, Shah of Assetnote told The Daily Swig that he had nothing new to contribute to the company’s previously published blog post.