Researchers discovered numerous vulnerabilities in the Yellowfin BI platform that could allow remote code execution attacks. The vulnerabilities mainly existed due to hardcoded keys in the app. Yellowfin BI developers patched the vulnerabilities following the bug report.
Yellowfin BI Vulnerabilities Existed Due To Hardcoded Keys
Sharing the details in a recent blog post, team Assetnote highlighted numerous severe vulnerabilities in the Yellowfin BI platform.
As explained, the researchers found these vulnerabilities while auditing Yellowfin BI, as they usually do for third-party apps to find pre-authentication vulnerabilities. Furthermore, the researchers elaborated that mapping pre-authentication attack surface in Java monolith codebases help in detecting possible routes through which remote accesses may happen without authentication.
Yellowfin BI is an analytics platform facilitating businesses in data intelligence reporting and other analytics activities by providing them with an interactive dashboard for better visualization.
According to Assetnote, they found the vulnerabilities due to hardcoded keys, exploiting which could even lead to remote code execution. Specifically, these include,
- CVE-2022-47884: an authentication bypass became possible via StoryBoardAction in com/hof/mi/web/action/StoryBodyAction.java, which allowed signing in as any user because of a signature bypass that happened due to the underlying hardcoded private key.
- CVE-2022-47885: another authentication bypass existed in the JsAPI Servlet because of the EXTAPI-IPID cookie – an AES-encrypted user ID with hardcoded keys. Any user knowing the victim’s session ID could impersonate a session because of the hardcoded keys.
- CVE-2022-47882: the JWT implementation inside the REST API relied on a hardcoded key, which enabled anyone with an extracted JWT key and a valid refresh token ID to create a valid JWT user and gain elevated privileges.
- CVE-2022-47883: the researchers could execute arbitrary commands via Java Naming and Directory Interface (JNDI) injections, leveraging a forceString gadget.
The researchers have shared the technical details and PoC exploits for the vulnerabilities in their post.
Flaws Received Patches
Upon discovering the issues, team Assetnote reached out to Yellowfin BI developers to report the flaws.