CVE-2022-25152

ITarian - Any user with a valid session token can create and execute agent procedures and bypass mandatory approvals

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The ITarian platform (SAAS / on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor (with a valid session token) can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.

La plataforma ITarian (SAAS / on-premise) ofrece la posibilidad de ejecutar código en los agentes por medio de una función llamada procedimientos. Es posible requerir un proceso de aprobación obligatorio. Debido a una vulnerabilidad en el proceso de aprobación, presente en cualquier versión anterior a 6.35.37347.20040, un actor malicioso (con un token de sesión válido) puede crear un procedimiento, omitir la aprobación y ejecutar el procedimiento. Esto resulta en la capacidad de cualquier usuario con un token de sesión válido para llevar a cabo la ejecución de código arbitrario y la toma de control total del sistema en todos los agentes

*Credits: This issue was discovered by Wietse Boonstra & Hidde Smit of DIVD.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-02-14 CVE Reserved
2022-06-08 CVE Published
2023-11-19 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-358: Improperly Implemented Security Check for Standard

CAPEC

References (2)

URL	Tag	Source
https://csirt.divd.nl/CVE-2022-25152	Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00037	Related

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Itarian Search vendor "Itarian"		On-premise Search vendor "Itarian" for product "On-premise"				< 6.35.37347.20040 Search vendor "Itarian" for product "On-premise" and version " < 6.35.37347.20040"		-		Affected
Itarian Search vendor "Itarian"		Saas Service Desk Search vendor "Itarian" for product "Saas Service Desk"				< 6.35.37347.20040 Search vendor "Itarian" for product "Saas Service Desk" and version " < 6.35.37347.20040"		-		Affected