On January 18 2024, the LedgerSMB project was advised of a security
vulnerability in the code. Please see below our security advisory.


   Privilege escalation through CSRF attack on 'setup.pl'


Summary:
========

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable:
=================

All of:

- 1.3.0 up to 1.3.47 (including)
- 1.4.0 up to 1.4.42 (including)
- 1.5.0 up to 1.5.30 (including)
- 1.6.0 up to 1.6.33 (including)
- 1.7.0 up to 1.7.32 (including)
- 1.8.0 up to 1.8.31 (including)
- 1.9.0 up to 1.9.30 (including)
- 1.10.0 up to 1.10.29 (including)
- 1.11.0 up to 1.11.8 (including)


Known fixed:
============

- 1.10.30
- 1.11.9


Details:
========

CSRF is an attack that tricks the victim into submitting a malicious request. It
inherits the identity and privileges of the victim to perform an undesired function
on the victim’s behalf [^1].

To successfully perform the attack, an attacker needs to know the name of the database
for which they want to create a user.  That is: in case LedgerSMB is used to maintain
multiple company administrations, multiple attacks need to be performed to gain access
to all of them.  A single attack will gain access to a single company only, however, if
companies share users, the attacker can use those to gain access to the other companies
with the rights of the affected user accounts.

In this specific attack, the victim must be an administrator of /setup.pl with an
active session.  It should be noted that the resulting user does *not* have full
access to /setup.pl, but *does* have full access to /login.pl for a single company.
This means that the resulting user can therefore *not* be used to create database backups,
however the attack itself can be used by the attacker to perform any action supported
by setup.pl.


[^1]: https://owasp.org/www-community/attacks/csrf


Severity:
=========

CVSSv3.1 Base Score: 7.5 (HIGH)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM)
  CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C


https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1


Recommendations:
================

We recommend all users to upgrade to known-fixed versions.  Versions
prior to 1.10 are end-of-life and will not receive security fixes from
the LedgerSMB project.

Users who cannot upgrade their 1.10 and 1.11 versions, may apply the
included patches or are advised to contact a vendor for custom support.

As a workaround, installations may choose not to expose and use /setup.pl,
instead using the command line application "ledgersmb-admin" to perform
administrative tasks.  Password resets can be performed with regular
/login.pl functionality or through PostgreSQL's "psql" command line tool.


References:
===========


CVE-2024-23831  (LedgerSMB)

https://ledgersmb.org/cve-2024-23831-setup-csrf

https://twelvesec.com/2024/02/02/cve-2024-23831


Reported by:
============


Georgios Roumeliotis (TwelveSec [twelvesec.com])



--
Bye,

Erik.

http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.