CVE-2021-31608 Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control.

Bypass of a security control is an operation that is intended to prevent an attacker from executing a specific type of operation. In this case, a bypass of a security control was performed when an attacker attempted to change an asset value that was previously locked by PFP. Changing asset values is a very common attack vector for hackers. In order to prevent this type of attack, PFP has implemented several security controls that lock and unlock asset values in order to prevent changing the value of a locked asset. If a hacker attempts to change an asset value of a locked asset, PFP will execute a bypass of a security control and allow the hacker to change the asset value of the asset.

PFP bypass - Bypass control on locked asset value

An example of a bypass of a security control is when PFP allows an attacker to change the asset value of a locked asset, which is locked by PFP. The asset value is previously locked by PFP and then changed using the bypass control.
PFP has implemented a bypass of a security control that allows an attacker to change the asset value of a locked asset. In this case, the override was performed on account A-004532426-2. The bypass allowed the attacker to change the account's password without any sort of authentication.
The bypass in this case was executed on account A-004532426-2 and was applied in order to change account's password for user A-000107824-1 because it could not perform authentication with user A-000107824-1 because it was locked out by PFP.

Vulnerabilities Found By Review

This vulnerability was discovered during review of the PFP codebase. The vulnerability is located in the asset lock and unlock functions.
PFP has implemented several security controls that lock and unlock asset values to prevent changing the value of a locked asset. If a hacker attempts to change an asset value of a locked asset, PFP will execute a bypass of a security control and allow the hacker to change the asset value of the asset.

Description of the vulnerability

This vulnerability allows an attacker to bypass of a security control and lock the asset value of an asset that is locked by PFP.

Overview

The issue was that PFP allowed an attacker to change the asset value of a locked asset. Bypassing the lock caused PFP to allow the attacker to execute a denial-of-service attack on other accounts. The combination of two attacks caused an infrastructure outage.

Timeline

Published on: 11/17/2022 22:15:00 UTC
Last modified on: 11/21/2022 19:44:00 UTC

References