In the Bentley Asset Lifecycle Information Management (ALIM) Web application, there exists a critical security vulnerability (CVE-2024-27455), allowing the exposure of a user's ALIM session token accidentally during file downloads. As a result, attackers can potentially gain unauthorized access to the susceptible system, compromising user data and posing a serious threat to information security.

This in-depth post aims to provide detailed insights into this vulnerability, including a simplified explanation of its mechanism, code snippets for better understanding, links to original references for further perusal, and crucial steps for mitigation and resolution.

Bentley ALIM Web Application Overview

Bentley's ALIM Web application is a software solution designed to enable organizations to streamline asset management and enhance lifecycle information management. With powerful features like digital asset twins, Web-accessible_file_download, and electronic book management, it enables seamless collaboration, information sharing, and decision-making support. You can find out more about this application at Bentley's official site: https://www.bentley.com/en/products/product-line/asset-performance-software/assetwise-alim

The Vulnerability - CVE-2024-27455

CVE-2024-27455 allows a potential attacker to gain unauthorized access to a user's ALIM security token when specific configuration settings are enabled. This security token is an essential component of the ALIM Web application's security framework, ensuring secure communication and resource access. If exposed, an attacker may use the token to perform actions and access resources illegitimately, leading to a data breach and severe consequences for the affected organization.

How the Exploit Works

Under certain ALIM Web application configurations, a user's session token may become visible when they attempt to download a file, leaving it exposed to both internal and external threats. Consider the following code snippet:

// Code snippet representing the vulnerable file download function
function vulnerable_file_download(file_id, session_token) {
  // ...
  // Executing the file download process
  // ...
  
  // Logging the session token (insecure, leading to token exposure)
  console.log("Session token in use during file download: " + session_token);
}

The above function represents a vulnerable file download process. The insecure logging of the session token in the console can expose it to potential attackers with local or remote access, facilitating unauthorized activities and resource tampering.

Original References

You can find technical details, research, and mitigation suggestions for CVE-2024-27455 on the following links:

1. The CVE page for CVE-2024-27455: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27455
2. The National Vulnerability Database's entry for CVE-2024-27455: https://nvd.nist.gov/vuln/detail/CVE-2024-27455
3. Bentley's official security advisory addressing the vulnerability: https://www.bentley.com/en/trust-center/security-advisories

Resolution and Mitigation

Fortunately, Bentley has already fixed this security vulnerability in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03. To safeguard your system from potential threats, we strongly recommend implementing these crucial steps:

1. Update your Bentley ALIM Web application to version 23.00.04.04 or later. If you are unsure of your current version, please contact your Bentley support representative for assistance.
2. Update your Assetwise Information Integrity Server to version 23.00.02.03 or later to ensure complete protection.
3. Regularly review and update your system's security configurations, adhering to best practices and recommendations from Bentley and industry experts.

Conclusion

CVE-2024-27455 is a security vulnerability in Bentley's ALIM Web application that can cause exposure of a user's ALIM session token during file downloads when specific configuration settings are enabled. It is critical to address this vulnerability promptly to safeguard your organization's data and maintain information integrity. By updating your ALIM and Information Integrity Server applications and following best security practices, you can significantly lower the risk of unauthorized access and data breaches.

Timeline

Published on: 02/26/2024 16:28:00 UTC
Last modified on: 08/14/2024 15:35:07 UTC