Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Cyber Security

Products You May Like

Dec 22, 2022Ravie LakshmananPassword Management

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user’s plaintext passwords.

“Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application,” Swiss cybersecurity firm modzero AG said in a report published this week.

“Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username.”

Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.

One of the flaws also impacts Passwordstate version 9.5.8.4 for the Chrome web browser. The latest version of the browser add-on is 9.6.1.2, which was released on September 7, 2022.

CyberSecurity

The list of vulnerabilities identified by modzero AG is below –

  • CVE-2022-3875 (CVSS score: 9.1) – An authentication bypass for Passwordstate’s API
  • CVE-2022-3876 (CVSS score: 6.5) – A bypass of access controls through user-controlled keys
  • CVE-2022-3877 (CVSS score: 5.7) – A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
  • No CVE (CVSS score: 6.0) – An insufficient mechanism for securing passwords by using server-side symmetric encryption
  • No CVE (CVSS score: 5.3) – Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
  • No CVE (CVSS score: 4.3) – Use of insufficiently protected credentials for Password Lists

Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.

What’s more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.

In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.

Users are recommended to update to Passwordstate 9.6 – Build 9653 released on November 7, 2022, or later versions to mitigate the potential threats.

Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service’s update mechanism to drop a backdoor on customer’s machines.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

The Witcher 4 About to Enter ‘Full-Fledged’ Production Soon, CD Projekt Red Confirms
Brazil’s top court orders nationwide suspension of Elon Musk’s X
X Down? Several Users Report Outage Across the Globe, Including India
Realme P2 Pro Allegedly Spotted on BIS Certification Website, India Launch Seems Imminent
Scientists Uncover Invisible Ambipolar Electric Field Around Earth for First Time, New Study Reveals

Leave a Reply

Your email address will not be published. Required fields are marked *