LabKey Server version 18.3.0-61806.763, which was released on January 16, resolves all three vulnerabilities, so users should update immediately.
Multiple cross-site scripting (XSS) attacks are possible due to the presence of three vulnerabilities in a popular open-source medical data collaboration tool, exposing sensitive healthcare research data and potentially subject information. When a user clicks on a malicious link, an attacker can retrieve the user’s credentials due to the severity of the vulnerabilities.
LabKey Server Community Edition 18.2-60106.64, according to Tenable Research, contains vulnerabilities that allow an unauthenticated remote attacker to execute arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.
“Using the victim’s credentials, the attacker could perform any action that their target could perform on the LabKey system,” Jacob Baines, senior research engineer at Tenable, told Threatpost. Depending on the targeted user’s access, this may involve accessing or manipulating research data.
LabKey Server is a suite of software that allows researchers to integrate, analyze, and share biomedical research data. The platform serves as a data repository that enables querying, reporting, and collaboration across multiple data sources via the web. LabKey solutions are utilized by public health organizations, medical research centers, and universities around the world, according to the company’s website.
Baines stated, “According to a Shodan search, there are internet-facing LabKey servers, which increases the attack surface.” The server’s Set-Cookie header contains the X-LAB-CSRF identifier.”
Vulnerability Particulars
The first vulnerability, CVE-2019-3911, is an XSS flaw caused by improperly validated or sanitized query functions.
“Because this parameter is reflected in the output to the user and interpreted by the browser, a cross-site scripting attack is possible,” the company explained in a Thursday advisory. This allows an attacker to execute arbitrary code within the user’s browser context. Authenticated or unauthenticated XSS attacks are possible due to the availability of extra ‘__r#’ paths in the default installation.”
A second flaw, CVE-2019-3912, permit open redirects because the returnUrl function is also not sanitized in a way that permits certain return paths to be edited. These can be utilized by an attacker to redirect users to a location under their control.
CVE-2019-3913 is a flaw in the network drive mapping functionality of the LabKey Server. An attacker would need administrative access to LabKey Server’s web interface to exploit the vulnerability.
According to the advisory, “when mapping a network drive from the command line, a lack of sanitation in the mount() function would permit an attacker to mount their own malicious drives to the server.”
Baines stated that CVE-2019-3911 and CVE-2019-3912 are the two vulnerabilities that would typically be exploited in an attack. A malicious actor could exploit both CVE-2019-3911 and CVE-2019-3912 by sending an unsuspecting user a malicious link.
“An example attack scenario for CVE-2019-3912 would involve a malicious actor creating a phony login page,” he explained. “The attacker would then send a malicious link to a LabKey login page to an unsuspecting user. When a user logs in to the legitimate LabKey server, they would be redirected to the attacker’s fabricated page. Confused, the user re-enters their credentials and is now compromised.”
In the meantime, an example attack for CVE-2019-3911 would involve an attacker creating a malicious link containing extra Javascript that the attacker has inserted and that the victim’s browser will execute.
“If a logged-in LabKey user clicks the attacker’s link, the Javascript can send the user’s cookies to the attacker, granting the attacker access to the user’s sessionID,” Baines explained.
LabKey Server version 18.3.0-61806.763, which was released on January 16, resolves all three vulnerabilities, so users should update immediately.
