DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution
| Our reference | DIVD-2021-00037 |
| Case lead | Victor Gevers |
| Author | |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Recommendation | Update the ITarian Endpoint Manager Communication Client wherever possible. Stop using the On-Premise version. |
| Patch status | Not patched |
| Status | Closed |
| Last modified | 02 Nov 2022 21:18 CET |
Summary
DIVD researchers have identified multiple vulnerabilities in ITarian products. The vulnerabilities have been found in the following products:
- ITarian SaaS platform (version < 3.49.0)
- ITarian on-premise (version 6.35.37347.20040)
- Endpoint Manager Communication Client (version < 7.0.42012.22030)
ITarian on-premise platform is vulnerable to:
- CVE-2022-25151, Session cookie not protected by HttpOnly flag (ITarian SaaS platform / on-premise)
- CVE-2022-25152, Creation of procedure and bypass approvals by any user with a valid session token (ITarian SaaS platform / on-premise)
Endpoint Manager Communication Client was vulnerable to:
- CVE-2022-25153, Endpoint Manager agent local privilege escalation
The Saas Platform had an additional vulnerability:
- A Cross-Site Scripting (XSS) vulnerability in the helpdesk function
On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities were resolved on 19 May 2022.
The coordinated vulnerability process worked but suffered from a communications breakdown, which caused a serious delay in the issues being resolved. However, once there was a direct communications line between DIVD researchers and ITarian’s software engineering, the issues were resolved quickly.
The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152 an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges. It is a small consolidation that the service desk module is not turned on by default.
It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed us that it will not be updated.
What you can do
All users of ITarian products should be aware of the privilege escalation on Endpoint Manager Communications Client on Windows. This agent is installed by default on all Windows systems managed via either the Saas or on-premise version of ITarian and allowed an attacker with low privilege system access to escalate privileges to SYSTEM. We advise users to update this agent to at least version v7.0.42012.22030
The vulnerabilities we reported in the SaaS service, have all been resolved in version v3.49.0. This is an upgrade performed by ITarian, and no user action is required.
ITarian has informed us that support for their on-premise solution has seized over two years ago and that the vulnerabilities we found will therefore not be fixed in this version. Given the seriousness of the solution and the power of the platform, we would recommend those using the on-premise version to: a. Investigate alternative solutions. Either the ITarian SaaS service or another on-premise product as this product is no longer supported b. To fully disconnect the ITarian on-premise solution from the internet, and c. To not rely upon the permissions and approvals model built into ITarian.
What we are doing
We have worked with ITarian to the best of our abilities to get these vulnerabilities fixed in a timely manner.
At this moment in time, we have identified that there are a, very limited number of, ITarian on-premise installations still internet accessible. We will try to contact the owners of these installations to warn them.
Timeline
| Date | Description |
|---|---|
| 01 Dec 2021 | Three vulnerabilities discovered |
| 01 Dec 2021 | Additional vulnerability discovered |
| 06 Jan 2022 | Vulnerabilities reported to Brad Miller, the ITarian CEO via email. But, the email bounced |
| 06 Jan 2022 | Vulnerabilities reported to ITarian support via email |
| 11 Jan 2022 | We were able to reach a contact at a sister company of ITarian via LinkedIn |
| 12 Jan 2022 | Reported the detailed findings to our contact via email. Contact reports that the details of the vulnerabilities have been forwarded to the ITarian CEO and that information was received. |
|
12 Jan 2022- 19 Jan 2022 |
Time to acknowledge receipt |
| 19 Jan 2022 | Our contact confirms receipt of the details and states that he ‘will verify this with my engineering team and let you know’ |
| 14 Feb 2022 | Released a TLP-Amber warning to Trusted Information Sharing Partners |
|
12 Jan 2022- 18 Feb 2022 |
Time to acknowledge CVE-2022-25153 |
| 18 Feb 2022 | Unknown to us, ITarian patches CVE-2022-25153 in version v7.0.42012.22030 of the End Point Manager Communications Client |
|
12 Jan 2022- 18 Feb 2022 |
Time to patch CVE-2022-25153 |
| 28 Apr 2022 | Informed our contact, the ITarian Chairman & Founder, CEO, CMO, and CISO via LinkedIn as well as support and Sales via email of pending publication on 1 Jun 2022 |
| 29 Apr 2022 | DIVD gets introduced to a Technical Executive at ITarian/Comodo, remediation process starts |
| 05 May 2022 | DIVD and Technical Executive have an in-depth conversation. ITarian acknowledges CVE-2022-25151, CVE-2022-25152 as well as the XSS in the helpdesk function |
|
12 Jan 2022- 05 May 2022 |
Time to acknowledge CVE-2022-25151, CVE-2022-25152, and XSS |
| 19 May 2022 | CVE-2022-25151, CVE-2022-25152 and XSS patched in SaaS version |
|
12 Jan 2022- 19 May 2022 |
Time to patch CVE-2022-25151, CVE-2022-25152, and XSS |
|
12 Jan 2022- 08 Jun 2022 |
Time to (limited) public disclosure |
| 08 Jun 2022 | DIVD publicly releases limited information about the vulnerabilities |
|
12 Jan 2022- 01 Jul 2022 |
Time to full public disclosure |
| 01 Jul 2022 | Planned full disclosure |
| 10 Aug 2022 | Full disclosure |
| 10 Oct 2022 | Case Closed |
More information: