- Tenable Research discovered three vulnerabilities in the LabKey Server, an open source medical data collaboration tool, which potentially could put medical research data at risk of unauthorized access.
Released on Thursday, the report authors said the flaws are found in the LabKey Server Community Edition 18.2-60106.64. These serious system vulnerabilities could allow a hacker to obtain user credentials when a user clicks a malicious link.
The researchers said the flaw could also allow a remote hack to run arbitrary code through the LabKey browser, create open redirects and cross site scripting, along with drive malicious mapping through the server and network drives after it gains administrative access.
For example, query functions aren’t validated or properly sanitized, and the parameter is reflected in the output to the user and interpreted by the browser: this allows the possibility for a cross site scripting attack. It also would allow a hacker to run arbitrary code within the user’s browser.
“The XSS attacks are possible either authenticated or unauthenticated due to extra “__r#” paths that are available in a default installation,” the researchers wrote.
Further, the researchers said the returnURL function is also unsanitized, allowing certain return paths to be edited, which could be used by hackers to redirect users to a location set up by the nefarious actors.
The third flaw is found in the network drive mapping functionality, due to a lack of sanitation in the mount function. A hacker could leverage the vulnerability to install their own malicious drive to the server. However, the hacker must have obtained administrator credentials to exploit the flaw.
“As an example proof of concept, notice how the mount command always attempts to run ‘unmount()’ at the start of any ‘mount()’ operation,” the researchers wrote. “This means that a user is able to supply any valid drive letter and the application (running with elevated privileges on the host) will end the connection regardless of whether or not the rest of the mapping command is correct.”
In response to the findings, LabKey released patches for each of these vulnerabilities on January 16. The researchers stressed that to avoid falling victim to these vulnerabilities, all users must upgrade to the latest version of the LabKey platform.