Contents:
Several critical security vulnerabilities have been found in Passwordstate password management solution. The flaws can be leveraged by a cybercriminal to steal a user’s plaintext passwords.
Passwordstate, owned by the Australian company Click Studios, has over 29,000 clients, and more than 370,000 IT experts employ it.
Details About the Vulnerabilities and How They Can Be Used
A remote threat actor needs only a valid username to use these flaws in order to steal passwords from the password management solution, erase all stored passwords in the database, or increase their application permissions to accomplish remote code execution, explains modzero AG in a report.
The individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext.
One of the recently discovered bugs affects Passwordstate version 9.5.8.4 for the Chrome web browser, but version 9.6.1.2 was released on September 7, 2022.
The list of vulnerabilities via The Hacker News:
- CVE-2022-3875 (CVSS score: 9.1) – An authentication bypass for Passwordstate’s API
- CVE-2022-3876 (CVSS score: 6.5) – A bypass of access controls through user-controlled keys
- CVE-2022-3877 (CVSS score: 5.7) – A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
- No CVE (CVSS score: 6.0) – An insufficient mechanism for securing passwords by using server-side symmetric encryption
- No CVE (CVSS score: 5.3) – Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
- No CVE (CVSS score: 4.3) – Use of insufficiently protected credentials for Password Lists
An incorrect authorization vulnerability (CVSS score: 3.7) in Chrome could be used to extract all the passwords to an actor-controlled environment.
“In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance,” according to The Hacker News.
Customers are advised to update to Passwordstate 9.6 – Build 9653. But this is not the only attack on Passwordstate, the platform was the victim of a supply chain attack in April 2021.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.