Dutch research group DIVD has identified multiple vulnerabilitiesin ITarian products. In cooperation with DIVD, ITarian has made patches available to deal with these vulnerabilities for its SaaS platform.
Software as a service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the internet.
ITarian is a remote access and IT management solution, which helps organizations connect and communicate with their clients and employees. It's typically the sort of tool that Managed Service Providers (MSPs) use to remotely manage their clients.
The Dutch Institute for Vulnerability Disclosure (DIVD) reports vulnerabilities it finds in digital systems to the people who can fix them. It has a global reach, and tries to resolve the vulnerabilities by collaborating with the affected parties. Its services are free and most of the staff work in their free time.
You may have heard about DIVD in our reportsabout the Kaseya supply chain attack, or when Victor Gevers, chair of DIVD, appeared as a guest in our Lock and Code podcastabout Kaseya.
The vulnerabilities affect the following products:
- ITarian SaaS platform (version < 3.49.0): CVE-2022-25151, CVE-2022-25152and a Cross-Site Scripting (XSS)vulnerability in the helpdesk function.
- ITarian on-premise (version 6.35.37347.20040): CVE-2022-25151 and CVE-2022-25152.
- Endpoint Manager Communication Client (version < 7.0.42012.22030): CVE-2022-25153
CVE-2022-25151: Within the Service Desk module of the ITarian platform (both SaaS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful XSS attack on a user.
CVE-2022-25152: The ITarian platform (both SaaS and on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor, with a valid session token, can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.
CVE-2022-25153: The ITarian Endpoint Manage Communication Client, prior to version 6.43.41148.21120, is compiled using insecure OpenSSL settings. Due to this setting, a malicious actor with low privileges access to a system can escalate his privileges to SYSTEM abusing an insecure openssl.conf lookup.
OpenSSL is an open source implementation of the SSL/TLS protocol. Applications use this library to secure communications over computer networks against eavesdropping, or to identify the party at the other end.
Cooperation and responsible disclosure
The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152, an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges.
It took a bit of back and forth, but once the DIVD researchers and ITarian’s software engineering team connected directly, a solution for the issues quickly came about. On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities saw a solution come to live on May 19, 2022.
Planning for the full disclosure by DIVD indicates a date of July 1, 2022. The waiting time before full disclosure is to give users enough time to take appropriate measures.
Version v3.49.0 includes patches for the vulnerabilities in the SaaS service. ITarian controls the upgrade to this version, so it requires no user action.
It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed DIVD that it will not be updated. Given the severity (9.9 out of 10) of the vulnerability listed as CVE-2022-25152, users of the on-premise version should look for alternative solutions since this solution has reached end-of-life (EOL).