CVE-2023-33282 - Marval MSM uses unsafe default credentials

Description

Marval MSM < v15.1 has a System account with default credentials. A remote attacker is able to login and create a valid session which makes it possible to make backend calls to certain endpoints in the application.

CVSS Score

9.1 - Critical

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details of the vulnerability

When Marval is installed, the database password for the System account is set to a default password.

This System account is supposed to only be used by Marval itself. It’s however possible to initiate a session using the credentials stored in the database. Even though logging in with this account will not render a working GUI, the session itself can be used to access certain API and Backend functions.

The issues was identified in Marval MSM 14.14.1.9910. The vendor released a fix in version 15.1 which was released six month ahead of the normal release schedule.

Remediation

Change the password for the System user in the database or set it to NULL.

Upgrade to version 15.1 or later.

Vulnerability Disclosure Policy and Timeline

Vulnerabilites are disclosed, if not fixed earlier, after a minimum of 90 days from being reported to the vendor. If a patch is made available we give another 30 days in addition to the initial 90 days (90+30). This is to ensure that the vendor can inform customers and give them sufficient time to patch any vulnerable systems. We make all effort in to providing sufficient time for vendors to create and make patches available to the public before disclosure. For any questions regarding our vulnerability disclosures, feel free to contact us.

• 2022-06-30: Vulnerability discovery
• 2022-07-04: Vulnerability reported to and acknowledged by vendor
• 2022-07-14: Vendor releases out-of-band fix in version 15.1
• 2022-08-25: Vendor follow-up
• 2022-09-15: Vendor follow-up
• 2023-05-15: CVE requested from Mitre
• 2023-05-16: Vulnerability reported to CERT-SE
• 2023-05-22: CVE ID assigned: CVE-2023-33282
• 2023-05-22: Vendor informed of upcoming disclosure and remediation recommendations requested
• 2023-05-25: Vendor follow-up and remediation suggestions from vendor
• 2023-06-07: Vulnerability disclosure

Vendor response

This vulnerability was resolved under ticket MSM-6514 in version 15.1 (2022-07-14), which is not an LTS release, however we considered it important enough to resolve 6 months ahead of our normal hardening schedule.

The Marval Pen Test policy dictates at a minimum that once a year, a release is security hardened by outsourcing penetration testing to a certified partner and subsequent rectifying the serious and critical issues prior to release. This release is called a long-term support release (LTS) and made available between January-February each year.

Credits

• Linus Kimselius @ Cyberskydd - www.cyberskydd.se
• Johan Hortling @ Knowit Secure AB

References

• Marval Software