SECURITY ADVISORY
Unintentional acquisition of elevated administrator privileges
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED RELEASES:
- CRITICALITY
- AFFECTED RELEASES:
- REFERENCE:
- April 28, 2022
- Security Patch Release
- HIGH
- OTOBO 10.1
- MEDIUM
- OTOBO 10.1
- https://nvd.nist.gov/vuln/detail/CVE-2022-0475
Description
Problem
OTOBO administrators or attackers with OTOBO administrator rights could exploit specific OTOBO features to gain unauthorized privileges on the server. These features will henceforth be available only via opt-in by the system administrator.
Criticality: HIGH
An XSS vulnerability in the package manager interface has been fixed (CVE-2022-0475).
Criticality: MEDIUM
Potential consequences
- Bypassing permission restrictions.
Measures for secure operation
Update to OTOBO 10.1.3
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes & Enhancements
- Update to Elasticsearch version 7.17.3
- Adaptation of S/MIME functionality to newer OpenSSL versions
- Update of JavaScript libraries
- Expansion of CustomerTicketCategories
- Addition of Type, Service, and Status in TicketZoom and TicketList, with the ability to manage translations in the interface, text templates, and links
- Support for CustomerIDRaw in GenericInterface TicketSearch
Details on the admin vulnerability and how to handle it in OTOBO:
In OTRS6 and previous OTOBO versions, there is no strict separation between OTOBO administrator rights and permissions on the executing server. Some features explicitly allow server access with the executing program’s rights (e.g., apache2).
For most systems, this will not pose a serious problem, as OTOBO administrators often already have server access. However, there may be systems where OTOBO administrators should not have these permissions.
Fundamentally, it makes sense to have a separation to prevent an attacker who has gained OTOBO administrator rights from finding additional attack vectors on the server.
We have therefore decided to treat these specific functionalities as a security issue and to make them available only after an explicit opt-in by the system administrator in the Config.pm.
To this end, from OTOBO 10.0.16 / 10.1.3 onwards, the following options from Kernel/Config/Defaults.pm must be copied into Kernel/Config.pm and activated there:
- Ticket::GenericAgentAllowCustomScriptExecution
- DashboardBackend::AllowCmdOutput
Notes on changed SysConfig options
JavaScript
With this patch, various JavaScript libraries have been updated. These are set in the SysConfig options “Loader::Agent::CommonJS###000-Framework” and “Loader::Customer::CommonJS###000-Framework”.
If these options have been manually adjusted via the SysConfig (which we do not recommend), automatic updates are not possible.
Please note your adjustments in this case, reset the setting, perform the update, and then, if necessary, manually adjust the option again.
CustomerTicketCategories
With the last version 10.1.2, the ability to define state and service in the CustomerTicketCategories was introduced.
These were previously hardcoded translations. We have changed this and made it generally configurable.
If you use either category and need individual translations, please extend the corresponding SysConfig option (e.g., “Ticket::Frontend::CustomerTicketCategories###State”) with the attribute “Translate”->”1”.
We are happy to answer your questions. Contact us.
You are a support customer and need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
