Skip to main content

 

Vulnerability RPD-2903

 

OutSystems

Vulnerability RPD-2903

Overview

OutSystems has identified a security vulnerability on the authentication mechanism used for communication between OutSystems Platform components that could allow users that have limited access to one environment to elevate privileges on that environment and on other environments managed by the same LifeTime.

OutSystems has assessed the impact of this vulnerability for both cloud and on-premises deployments, and across all supported stacks. The information in this article will allow you to ascertain the level of exposure your systems may have, and how you should proceed to solve the threat.

Technology Stacks

This vulnerability affects all supported Platform stacks in versions prior to 9.1.614.0 for OutSystems Platform Version 9 and 10.0.811.0 for OutSystems Platform version 10.

Communication

To understand the phases involved in the process, how and when we communicate, check this article.

  • Embargo phase: This vulnerability was first communicated to all customers on July 4, 2018
  • Public disclosure: Full details on this vulnerability were already disclosed.

Vulnerability details

The basis for this vulnerability is a "Pass the Hash" attack. Some internal web services used to accept hashes as authentication. This means that a developer can obtain the hash for any user’s password from the database and use it to authenticate against these web services. These web services allow high privilege operations on the Platform, including a way to login with that user in Service Center. Only IT users that already have access to LifeTime and Service Center can exploit this vulnerability. Once that user obtains a hash, he can utilize it from any point where Service Center is available.

Protecting your OutSystems Platform

OutSystems issued new releases of the Platform Server that address this vulnerability.

OutSystems Cloud

OutSystems Cloud customers can open a support case requesting an update of OutSystems Platform to a release where this vulnerability has been corrected.

On-Premises Installations

OutSystems 9.1

The fixes are available from release 9.1.614.0 onwards. All customers that have yet to update their Platform Servers are strongly encouraged to do so.

OutSystems 10

The fixes are available from release 10.0.811.0 onwards. All customers that have yet to update their Platform Servers are strongly encouraged to do so.

OutSystems 11

This version was not affected by this vulnerability.

Workaround

There is no workaround, we strongly advise to update to the above mentioned releases.

FAQs

Question Answer
By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker will have full access to all data stored by the OutSystems Platform.
Has this vulnerability been exploited in the wild? OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.
What do I need to do? Update your OutSystems Platform to the above-mentioned version that applies.
Will OutSystems share any more information about this vulnerability? All the details that can be shared were already disclosed in this article.
Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.

Vulnerability reported by

Carlos Alfaro, an OutSystems Most Valued Professional.

  • Was this article helpful?