The risk of exploiting this issue depends on the configuration of the crowd application allowlist. The following are common configurations for this issue: The {{All}} option allows any IP to connect to the application.

The {{127.0.0.1}} option excludes the localhost IP from the allowlist.

The {{10.0.0.0/8}} option includes the entire 10.0.0.0/8 network.

The {{192.168.0.0/16}} option includes the entire 192.168.0.0/16 network.

The {{10.1.0.0/16}} option includes the entire 10.1.0.0/16 network.

The {{172.16.0.0/12}} option includes the entire 172.16.0.0/12 network.

The {{0.0.0.0/0}} option excludes all IPs from the allowlist.
If these configurations are not secure, an attacker can connect to the Crowd application using the malicious IP and then execute arbitrary code on the application server. This can lead to a full compromise of the Crowd application server. Additionally, this issue can be exploited via the REST API to call privileged endpoints in the REST API under the {{usermanagement}} path. This can lead to a compromise of confidential data on the Crowd application server. This issue can only be exploited by IPs specified

Vulnerability Description

A vulnerability in Crowd, a third-party application for Microsoft Azure, could allow remote attackers to execute arbitrary code on the application server by connecting through the malicious IP.
The issue is due to an error in the REST API of Crowd. The REST APIs contain endpoints that provide a privileged level of access in the system. An attacker can exploit this vulnerability and gain access to these endpoints from any IP specified in the allowlist.
Therefore, an attacker can exploit this vulnerability to call privileged endpoints under the {{usermanagement}} path of the REST API. This allows an attacker to compromise confidential data on the Crowd application server.

Vulnerability Scenario:

* A malicious user sends a request to the Crowd app with a malicious IP (e.g. 192.168.1.1)
* The Crowd app allows any IP to connect to the application server
* The malicious IP connects, executes arbitrary code on the application server and then disconnects

Vulnerability Symptoms

The following are possible symptoms of the vulnerability:
- An attacker has control over the Crowd application server.
- The attacker can connect to the Crowd application using an IP in the allowlist.
- There is a privilege escalation due to a REST API call with a privileged endpoint under the {{usermanagement}} path.

If any of these symptoms are observed, it may indicate that the Crowd application server is compromised and should be taken offline.

Vulnerabilities in Crowd API

Crowd API is a production-ready, fully scalable, and secure enterprise system that allows your company to conveniently manage an online community. It empowers your company with the ability to create a customized platform for you and your customers. Most importantly, it provides a way for you to connect with consumers and drive sales.
But if Crowd API is not properly configured or if there are no security measures in place, it can be vulnerable to attacks from malicious actors. One such attack involves exploiting the REST API endpoint under the {{usermanagement}} path. This path contains privileged endpoints that can be called by any IP specified in the {{allowlist}} option of the REST API configuration. If these options are not secured, an attacker can exploit this vulnerability to access confidential data on the Crowd application server.

Timeline

Published on: 11/17/2022 00:15:00 UTC
Last modified on: 11/18/2022 18:51:00 UTC

References