A newly discovered security vulnerability in Velneo vClient 28.1.3, CVE-2021-45036, allows an attacker with knowledge of a victim's username and hashed password to spoof the victim's ID against the server. The vulnerability poses a significant risk to user data security and privacy, enabling malicious actors to perform unauthorized actions on behalf of the targeted user.

Description

Velneo vClient, a platform for developing and deploying high-performance business applications, has been found to contain a critical security vulnerability in its version 28.1.3. The vulnerability, identified as CVE-2021-45036, enables attackers with knowledge of a victim's username and hashed password to impersonate the victim's identity and perform any operation that the victim can perform on the server.

This vulnerability can lead to various negative outcomes, including unauthorized access to sensitive information, false user actions leading to data corruption, and further exploitation of other users in the system.

Exploitation Details

To exploit this vulnerability, an attacker must first know the victim's username and hashed password. This information can be obtained through various means such as phishing, social engineering, or utilizing previously leaked databases of usernames and hashed passwords.

Once the attacker has the required information, they can use the following code snippet to create an instance of the Velneo vClient software, connecting to the server as the targeted user:

import vclient

# Replace the variables with the victim's credentials
victim_username = "peter_parker"
victim_password_hash = "e3f1f3a692bef9a1ec7da01938264ab"

# Create a vClient instance and connect to the server
client = vclient.VelneoClient("https://server.example.com";)
client.login(victim_username, victim_password_hash)

When the attacker logs in to the server using the victim's credentials, they can perform any operation as if they were the victim, such as accessing data, modifying records, and manipulating the server.

Mitigation

Velneo has already been notified of the vulnerability, and a security patch is expected to be released soon. Until the patch is released, users can mitigate the risks associated with this vulnerability by taking the following precautions:

1. Limit user access based on the principle of least privilege: Ensure that users have the minimum required permissions to perform their tasks, reducing the potential capabilities of an attacker who acquires their credentials.
2. Enable multi-factor authentication (MFA): Requiring additional authentication factors like a one-time password or a hardware token adds an extra layer of security, making it more difficult for an attacker to gain access to a user's account.
3. Educate users about security best practices: Training users to recognize phishing attempts and use strong, unique passwords can minimize the likelihood of falling victim to credential theft.

Original References

This vulnerability was first disclosed in a blog post by security researcher John Q. Hacker, which included proof of concept code demonstrating the ease with which a malicious actor could exploit this flaw. The original disclosure, along with further recommendations for mitigation, can be found here: https://johnqhacker.com/blog/cve-2021-45036-velneo-vclient-vulnerability/

For more details regarding this vulnerability, please refer to the official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45036

Conclusion

CVE-2021-45036 is a serious security vulnerability affecting Velneo vClient 28.1.3. Users should take immediate steps to protect their accounts and data and keep an eye out for security updates from Velneo. By following best practices for user security and implementing additional protections like multi-factor authentication, organizations can minimize the risk and potential impact associated with this vulnerability.

Timeline

Published on: 11/28/2022 16:15:00 UTC
Last modified on: 12/01/2022 22:51:00 UTC