Introduction
After returning from a recent business trip, I discovered a vulnerability in our company’s BPM system that allows privilege escalation by merely modifying cookies to impersonate another user.
A quick Google search revealed that TWCERT has recently published relevant CVE vulnerability information on this issue.
While recently discovered, this vulnerability likely dates back over eight years (from 2017 to 2024). Moreover, the system itself has significant bugs, and subsequent vendor updates seem to have been lackluster.
Vulnerability Disclosure
According to the National Vulnerability Database (NVD), this vulnerability has been rated 8.8 on the CVSS v3 scale, making it a high-risk vulnerability. The main weakness lies in the system’s excessive reliance on cookie information without performing integrity checks.
Simply put, it’s as if an identification badge issued for access to a restricted area includes your name but is not encrypted or verified. If someone alters the name on the badge to another person’s name, they could impersonate that identity to access the backend, or even bypass security checks by using a nonexistent name.
Recommended Solutions
According to recommendations from the Taiwan Vulnerability Note (TVN), updating the system to version v5.3.1 or higher should resolve this vulnerability.
However, it’s crucial to keep in mind:
- Based on my perspective, this system contains numerous potential vulnerabilities and is not recommended for deployment on public networks.
- I believe that v5.3.1 may not entirely resolve all issues associated with this vulnerability.
Impact Scope
- Personal Information Leakage: This includes employee IDs, names (both in English and Chinese), email addresses, and dates of hire.
- Authorization for Process Approval and Rejection: Control over workflow authorization.
Other Unpublished Potential Risks
The file system has unauthorized access vulnerabilities, allowing users to freely access files uploaded by others.