[Grit Rother]

Does the security vulnerability in OTRS reported by heise online affect OTOBO systems?

OTRS ticket system: Attackers can view unencrypted passwords | heise online (in German)

Since the German IT News Portal heise online has reported that attackers can view unencrypted passwords in OTRS, we keep receiving enquiries as to whether this security vulnerability also affects OTOBO.

In Short: -> Not by default.

Some more details:

The article is about a total of 3 CVEs.

CVE-2024-4344 – criticality ‘high’
This CVE relates to the fact that in certain cases – which do not apply to OTOBO by default (OTOBO does not store passwords in plain text in its own database by default) – attackers can read user passwords.

For passwords to be displayed unencrypted in OTOBO, 2 things have to come together:

• There must be a backend that forwards the passwords to OTOBO unencrypted, e.g. an external customer database (basically a security risk of the connected backend).
• And: Logging must be activated by proactively changing the source code.
  This means that you need access to the code and must know exactly what you are doing. Logging is not active by default. Accidental activating the feature via a setting in the admin interface or similar is also impossible.
  (If you suspect that the function could be active in your own system nevertheless, please contact our support team to find out for sure).

(Further mitigation is planned: https://github.com/RotherOSS/otobo/issues/3737)

CVE-2024-43442 & CVE-2024-43443 – criticality ‘medium’
These two CVEs relate to vulnerabilities that allow an admin who is already logged in to attack other admins.

We assume that these vulnerabilities have been fixed in OTOBO as measures have already been taken in this respect in earlier patches.

Nevertheless, the development team is currently analysing the situation once again. If any further action is required, we will inform you here.

[Autor]

Beiträge