Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2022-43939

Disclosure Date: April 03, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. 

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This is an authentication bypass in Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x due to the use of access checks which are done primarily through the applicationContext-spring-security.xml file. Within this file are various regexes which are used to control access to various pages, however the one that stands out is this one:

334 | <sec:intercept-url pattern="\A/[^\?]*(require)(-js)?(-cfg)?.js(\?.*)?\Z" access="Anonymous,Authenticated" />

This regex allows anonymous and authenticated access to any page that starts with a /, followed by any character other than ?, then the word require followed optionally by -js or -cfg, then any character, followed by js and then optionally a ? followed by any characters you like until the end of the line.

So following this we can formulate a few URLs that could bypass authentication:

  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require-cfg.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require-js.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/requireBjs.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/requireKjs.js?asdf=22&bbb=44&ccc=55

Whilst the article at https://research.aurainfosec.io/pentest/pentah0wnage/ where this was originally written up seems to suggest that only require.js is possible, we can see that this is not the case based on the regex above.

Combining this with CVE-2022-43769 as discussed at https://attackerkb.com/topics/hy6nWcCo30/cve-2022-43769 can lead to unauthenticated RCE as the user running the Hitachi Vantara Pentaho Business Analytics Server, which will typically be a privileged user such as a local administrator or local service account, which is where the real risk comes into play.

Given this context, it is highly recommended that this vulnerability be patched as soon as possible. If this was just an authentication bypass without the ability to perform anything useful, then we’d recommend patching it as part of your normal patch cycle, but given the ability to combine this with CVE-2022-43769, and the ease of exploitation of both vulnerabilities to get RCE on the server as an unauthenticated user, patching should be done as soon as possible as its likely these bugs will be exploited in the wild soon if they have not been so already.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • hitachi

Products

  • vantara pentaho business analytics server,
  • vantara pentaho business analytics server 9.4.0.0
Technical Analysis