SECURITY ADVISORY
Unintentional acquisition of elevated administrator privileges
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED RELEASES:
- CRITICALITY
- AFFECTED RELEASES:
- REFERENCE:
- April 28, 2022
- Security Patch Release
- HIGH
- OTOBO 10.0
- MEDIUM
- OTOBO 10.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-0475
Description
Problem
OTOBO administrators or attackers with OTOBO administrator rights could exploit specific OTOBO features to gain unauthorized privileges on the server. These features will henceforth be available only via opt-in by the system administrator.
Criticality: HIGH
An XSS vulnerability in the package manager interface has been fixed (CVE-2022-0475).
Criticality: MEDIUM
Potential consequences
- Bypassing permission restrictions.
Measures for secure operation
Update to OTOBO 10.0.16
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes & Enhancements
- Update to Elasticsearch version 7.17.3
- Adaptation of S/MIME functionality to newer OpenSSL versions
- Update of JavaScript libraries
- Consolidation of duplicate slashes in called URLs (PSGI)
- Removed DashboardBackend###0000-ProductNotify
- [Bugfix] Correct display of dynamic fields of type Title with a lot of text
- [Bugfix] Fixed an issue where pressing Enter in text input fields (e.g., the subject) aborted the response in CustomerTicketZoom
- Updated default texts in the CustomerDashboard Highlighting focused buttons in the customer interface (in addition to hover)
- [Bugfix] Fixed an issue where re-fetching database fields displayed an error message
Details on the admin vulnerability and how to handle it in OTOBO:
In OTRS6 and previous OTOBO versions, there is no strict separation between OTOBO administrator rights and permissions on the executing server. Some features explicitly allow server access with the rights of the executing program (e.g., apache2).
For most systems, this will not pose a serious problem, as OTOBO administrators often already have server access. However, there may be systems where OTOBO administrators should not have these permissions.
Fundamentally, separation makes sense to prevent an attacker who has gained OTOBO administrator rights from finding additional attack vectors on the server.
We have therefore decided to treat these specific functionalities as a security issue and to make them available only after an explicit opt-in by the system administrator in the Config.pm.
To this end, from OTOBO 10.0.16 / 10.1.3 onwards, the following options from Kernel/Config/Defaults.pm must be copied into Kernel/Config.pm and activated there:
- Ticket::GenericAgentAllowCustomScriptExecution
- DashboardBackend::AllowCmdOutput
Notes on changed SysConfig options
JavaScript
With the present patch, various JavaScript libraries have been updated. These are set in the SysConfig options “Loader::Agent::CommonJS###000-Framework” and “Loader::Customer::CommonJS###000-Framework”.
If these options have been manually adjusted via the SysConfig (which we discourage), automatic updating is not possible.
In this case, please note the adjustments made, reset the setting, perform the update, and then manually adjust the option again if necessary.
We are happy to answer your questions. Contact us.
You are a support customer and need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
