On January 18 2024, the LedgerSMB project was advised of a security vulnerability in the code. Please see below our security advisory. Privilege escalation through CSRF attack on 'setup.pl' Summary: ======== When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. Known vulnerable: ================= All of: - 1.3.0 up to 1.3.47 (including) - 1.4.0 up to 1.4.42 (including) - 1.5.0 up to 1.5.30 (including) - 1.6.0 up to 1.6.33 (including) - 1.7.0 up to 1.7.32 (including) - 1.8.0 up to 1.8.31 (including) - 1.9.0 up to 1.9.30 (including) - 1.10.0 up to 1.10.29 (including) - 1.11.0 up to 1.11.8 (including) Known fixed: ============ - 1.10.30 - 1.11.9 Details: ======== CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf [^1]. To successfully perform the attack, an attacker needs to know the name of the database for which they want to create a user. That is: in case LedgerSMB is used to maintain multiple company administrations, multiple attacks need to be performed to gain access to all of them. A single attack will gain access to a single company only, however, if companies share users, the attacker can use those to gain access to the other companies with the rights of the affected user accounts. In this specific attack, the victim must be an administrator of /setup.pl with an active session. It should be noted that the resulting user does *not* have full access to /setup.pl, but *does* have full access to /login.pl for a single company. This means that the resulting user can therefore *not* be used to create database backups, however the attack itself can be used by the attacker to perform any action supported by setup.pl. [^1]: https://owasp.org/www-community/attacks/csrf Severity: ========= CVSSv3.1 Base Score: 7.5 (HIGH) CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSSv3.1 Base Score & Vector (with temporal score): 6.7 (MEDIUM) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 Recommendations: ================ We recommend all users to upgrade to known-fixed versions. Versions prior to 1.10 are end-of-life and will not receive security fixes from the LedgerSMB project. Users who cannot upgrade their 1.10 and 1.11 versions, may apply the included patches or are advised to contact a vendor for custom support. As a workaround, installations may choose not to expose and use /setup.pl, instead using the command line application "ledgersmb-admin" to perform administrative tasks. Password resets can be performed with regular /login.pl functionality or through PostgreSQL's "psql" command line tool. References: =========== CVE-2024-23831 (LedgerSMB) https://ledgersmb.org/cve-2024-23831-setup-csrf https://twelvesec.com/2024/02/02/cve-2024-23831 Reported by: ============ Georgios Roumeliotis (TwelveSec [twelvesec.com]) -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.