Click Studios’ Passwordstate has been found to contain a few numerous high-severity vulnerabilities. An unauthenticated attacker might exploit these to exfiltrate credentials from an instance, overwriting all stored passwords in the database, or raising their privileges within the app. CVE-2022-3875, in conjunction with CVE-2022-3877 and CVE-2022-3876, may be used to acquire a shell on the Passwordstate host system and dump all saved passwords in cleartext.
Here’s everything you need to know about CVE-2022-3875 and the related vulnerabilities:
What is the CVE-2022-3875 vulnerability?
A vulnerability was found in Click Studios Passwordstate and on Passwordstate Browser Extension in Google Chrome. Classified as critical, this vulnerability may lead to an authentication bypass by assumed-immutable data. Manipulating the component API while affecting unknown code functions in the component, the attack can be initiated remotely.
Published back on December 19th, 2022, both the CVE and POC code are available. Moreoever, the POC has been confirmed as a true exploit.
In their research, Kuekerino, Ubahnverleih, and Parze (who were the ones to examine Click Studios’ Passwordstate password management solution) found that:
“The API token is not some randomly generated string or secret, neither is it cryptographically signed. Instead, the API token contained concatenated user information that was XOR encrypted with a hardcoded key… Even more surprising was the code, which validated the token: The only field from the string used for authentication and authorization was the username.”
So what exactly does this mean? Essentially it has three main consequences:
- Anyone could create their own token for a known existing username – This means that you would only need to know an existing username to craft a valid API token with the hardcoded XOR key. As a result, all data which the browser extension can access could be easily obtained and modified.
- Upon a user’s password change, the tokens are not changed
- When compromised, tokens cannot be invalidated
In addition, the researchers also discovered that any user with administrator permissions has an extended menu that grants access to various administrative features such as adding new users or backing up the database. However, this feature seems to be of special interest since it might grant an attacker the ability to potentially run arbitrary Powershell scripts on the host machine, or in other words, this is a case of code execution as a service.
Finding a way to elevate the privileges of an administrator user within Passwordstate could allow access to the host system, dumping all passwords.
Does it affect me?
Securing your password manager is a main key element for the security of any organization, big to small. In fact, password management is something that many enterprise organizations struggle with on a daily basis. By storing and managing an environment’s passwords, management solutions help make this process easier and simpler.
While storing passwords in a safe and secure password manager is still the best practice for safekeeping passwords, it’s important to bear in mind that having secrets stored in a single self-centralized location such as one password manager, represents more value to cyber criminals.
The security of password managers, with an emphasis on their web extensions, must be treated from architecture to implementation and maintenance, as a holistic endeavor. In this context, it is important to remember that having a vast feature set on a password manager, could also often imply a bigger attack surface that has a wider range of space for errors.
Has CVE-2022-3875 been actively exploited in the wild?
The exploit has been publicly disclosed and CVE-2022-3875 has been assigned the identifier VDB-216244. The vulnerability’s CWE definition is CWE-302. Being an on-premise enterprise password management platform, Passwordstate allows its users to safely store, access, and then also share sensitive password data.
Password managers are meant to support a relatively vast amount of features, some of which might be of relevance to you or your organization. Passwordstate supports a specific browser extension that can store, modify and retrieve passwords for various users of an environment, making it a relatively commonly used component in enterprise environments.
Fixing CVE-2022-3875
Prior to the CVE publication, a fix was released in build 9611 (September 5th), making it most probable that your Passwordstate instances have already been updated by now and are possibly not exposed to the internet. Also, despite the fact that an attacker could gain access to the browser extension API, that does not necessarily give him access to a real and actual session within the web instance.
In case you’re using the affected package, it is highly recommended to upgrade since upgrading eliminates this vulnerability. A full online version of the advisory is available at modzero.com or alternatively look into the PDF version of the public disclosure report for CVE-2022-3875.
It is also important to note that all of Click Studios’ vulnerabilities have been declared as fixed as of Passwordstate version 9.6 (Build 9653).
Look for your vendors’ references and updates immediately – Google and Microsoft have already released their updates.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- Threat intelligence frameworks in 2022
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
