Password theft bug chain patched in Passwordstate credential manager

Charlie Osborne 21 December 2022 at 16:16 UTC

Flaws could be combined to grab passwords in cleartext

Vulnerabilities in enterprise password manager Passwordstate that could be combined to exfiltrate stored credentials have been patched.

Developed by Australian vendor Click Studios, Passwordstate is an on-premise suite comrpising role-based administration and access control, sensitive information sharing, AES data encryption, and browser extension capabilities. The software has approximately 29,000 users.

Passwordstate was subject to scrutiny by Swiss security consultancy modzero AG following a customer request to check the password manager’s security.

Modzero researchers Constantin Muller, Jan Benninger, and Pascal Zenker duly conducted an audit of Passwordstate and found a range of security issues, as documented in the team’s disclosure report (PDF).

RECOMMENDED Becoming a penetration tester: ‘Mr hacking’ John Jackson on the virtue of ‘endless curiosity’

They included CVE-2022-3875, a high severity API authentication bypass (CVSS 7.3); CVE-2022-3876 (CVSS 4.3), where UpdatePassword file manipulation leads to authorization bypass; and CVE-2022-3877 (CVSS 3.5), a cross-site scripting (XSS) flaw in the user interface.

Researchers also found another XSS, the use of hard-coded credentials for APIs, insufficient protection for password lists, and potential exposure of passwords in the browser extension.

Attack chain

A potential attack chain would look like this: forge an API token using a valid username, add malicious password entries with XSS payloads in public and private password lists, wait until an administrator unwittingly opens a password entry, secure a reverse shell, and then pull and dump passwords stored in the Passwordstate instance.

“Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application,” the researchers say.

“The individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext – starting with nothing more than a valid username!”

According to modzero, Click Studios was “responsive” throughout the disclosure process and quick to triage and patch the researchers’ findings, resulting in Passwordstate version 9.6 (9653).

“Password safety and therefore password management solutions are the foundation on which an organization’s security infrastructure is built on,” modzero commented. "The uncovered findings show the incredible importance of ongoing security audits for critical assets and red teaming engagements within organizations.”

The Daily Swig has reached out to Click Studios and we will update if and when when we hear back.

RELATED Mastodon users vulnerable to password-stealing attacks