Moderate
CVE-2022-43939
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2022-43939
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
This is an authentication bypass in Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x due to the use of access checks which are done primarily through the applicationContext-spring-security.xml
file. Within this file are various regexes which are used to control access to various pages, however the one that stands out is this one:
334 | <sec:intercept-url pattern="\A/[^\?]*(require)(-js)?(-cfg)?.js(\?.*)?\Z" access="Anonymous,Authenticated" />
This regex allows anonymous and authenticated access to any page that starts with a /
, followed by any character other than ?
, then the word require
followed optionally by -js
or -cfg
, then any character, followed by js
and then optionally a ?
followed by any characters you like until the end of the line.
So following this we can formulate a few URLs that could bypass authentication:
/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js
/pentaho/api/ldap/config/ldapTreeNodeChildren/require-cfg.js
/pentaho/api/ldap/config/ldapTreeNodeChildren/require-js.js
/pentaho/api/ldap/config/ldapTreeNodeChildren/requireBjs.js
/pentaho/api/ldap/config/ldapTreeNodeChildren/requireKjs.js?asdf=22&bbb=44&ccc=55
Whilst the article at https://research.aurainfosec.io/pentest/pentah0wnage/ where this was originally written up seems to suggest that only require.js
is possible, we can see that this is not the case based on the regex above.
Combining this with CVE-2022-43769 as discussed at https://attackerkb.com/topics/hy6nWcCo30/cve-2022-43769 can lead to unauthenticated RCE as the user running the Hitachi Vantara Pentaho Business Analytics Server, which will typically be a privileged user such as a local administrator or local service account, which is where the real risk comes into play.
Given this context, it is highly recommended that this vulnerability be patched as soon as possible. If this was just an authentication bypass without the ability to perform anything useful, then we’d recommend patching it as part of your normal patch cycle, but given the ability to combine this with CVE-2022-43769, and the ease of exploitation of both vulnerabilities to get RCE on the server as an unauthenticated user, patching should be done as soon as possible as its likely these bugs will be exploited in the wild soon if they have not been so already.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- hitachi
Products
- vantara pentaho business analytics server,
- vantara pentaho business analytics server 9.4.0.0
References
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: