La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-45173

CVE-2022-45173 – LiveBox Collaboration vDesk

Vulnerability Description: Improper Authentication (Bypass Two-Factor Authentication - Lack of Server-Side Validation) - CWE-287

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45173

CVSv3: 9.8

Severity: Critical

Credits: Massimiliano Ferraresi, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct.

Step-by-step instructions and PoC

The web application implements two-factor authentication through a TOTP code. To check
whether the inserted TOTP is correct, the web-application implements the API
/api/v1/vdeskintegration/challenge. Unfortunately, only the client-side verifies
whether the check was successful, allowing an attacker to modify the response, and fool the
application that the TOTP was correct.

Affected Endpoints

·       https://[...]/api/v1/vdeskintegration/challenge

Below are the evidences with the vulnerability details and the payloads used

Figure 8 Detail of the request and the response before changing the response.

 

Click to Enlarge

The application responds with the following JSON, notifying that the check was not
successful:

{"status":"403","message":"OTP Check failed","totp":true}


The attacker, though, can modify the response, fooling the client-side code that the check
was correct:


{"status":200,"message":"OK","totp":true}

Figure 9 Response modified by the attacker

 

Click to Enlarge

Figure 10 Dashboard visualized just after the response modification.

 

Click to Enlarge