OutSystems has identified a security vulnerability on the authentication mechanism used for communication between OutSystems Platform components that could allow users that have limited access to one environment to elevate privileges on that environment and on other environments managed by the same LifeTime.
OutSystems has assessed the impact of this vulnerability for both cloud and on-premises deployments, and across all supported stacks. The information in this article will allow you to ascertain the level of exposure your systems may have, and how you should proceed to solve the threat.
This vulnerability affects all supported Platform stacks in versions prior to 9.1.614.0 for OutSystems Platform Version 9 and 10.0.811.0 for OutSystems Platform version 10.
To understand the phases involved in the process, how and when we communicate, check this article.
- Embargo phase: This vulnerability was first communicated to all customers on July 4, 2018
- Public disclosure: Full details on this vulnerability were already disclosed.
The basis for this vulnerability is a "Pass the Hash" attack. Some internal web services used to accept hashes as authentication. This means that a developer can obtain the hash for any user’s password from the database and use it to authenticate against these web services. These web services allow high privilege operations on the Platform, including a way to login with that user in Service Center. Only IT users that already have access to LifeTime and Service Center can exploit this vulnerability. Once that user obtains a hash, he can utilize it from any point where Service Center is available.
Protecting your OutSystems Platform
OutSystems issued new releases of the Platform Server that address this vulnerability.
OutSystems Cloud customers can open a support case requesting an update of OutSystems Platform to a release where this vulnerability has been corrected.
The fixes are available from release 9.1.614.0 onwards. All customers that have yet to update their Platform Servers are strongly encouraged to do so.
The fixes are available from release 10.0.811.0 onwards. All customers that have yet to update their Platform Servers are strongly encouraged to do so.
This version was not affected by this vulnerability.
There is no workaround, we strongly advise to update to the above mentioned releases.
|By exploiting this vulnerability can an attacker access my data?||Yes. By exploiting this vulnerability, an attacker will have full access to all data stored by the OutSystems Platform.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform to the above-mentioned version that applies.|
|Will OutSystems share any more information about this vulnerability?||All the details that can be shared were already disclosed in this article.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|
Vulnerability reported by
Carlos Alfaro, an OutSystems Most Valued Professional.