Skip to main content

 

July 4, 2018 Vulnerability RPD-2903: Dormouse

 

OutSystems

July 4, 2018 Vulnerability RPD-2903: Dormouse

Overview

OutSystems has identified a security vulnerability on the authentication mechanism used for communication between OutSystems Platform components that could allow users that have limited access to one environment to elevate privileges on that environment and on other environments managed by the same LifeTime.

OutSystems has assessed the impact of this vulnerability for both cloud and on-premises deployments, and across all supported stacks. The information in this article will allow you to ascertain the level of exposure your systems may have, and how you should proceed to solve the threat.

Technology Stacks Affected

This vulnerability affects all supported platform stacks in versions prior to 9.1.614.0 for OutSystems Platform Version 9 and 10.0.811.0 for OutSystems Platform version 10.

How to Fix On-Premises Installations

OutSystems issued new versions for all supported platforms.

The fixes are available from versions 9.1.614.0 and 10.0.811.0 onwards. All clients that have yet to update their platform instances are strongly encouraged to do so.

OutSystems Cloud

OutSystems Cloud Customer can open a support case requesting an update of OutSystems Platform to versions where this vulnerability has been corrected.

More About This Vulnerability

The basis for this vulnerability is a “Pass the Hash” attack. Some internal web services used to accept hashes as authentication. This means that a developer can obtain the hash for any user’s password from the database and use it to authenticate against these web services. These web services allow high privilege operations on the platform, including a way to login with that user in Service Center.

 

Who can exploit this vulnerability?

Any user that has developer access to any environment.

From where can this vulnerability be exploited?

Once a developer obtains a hash, he can utilize it from any point where Service Center is available.

 



 

Vulnerability reported by Carlos Alfaro, an OutSystems Most Valued Professional.