“Kite in a Storm” Web Administrator to Remote Code Execution

Remote Code Execution

Researchers at ZX Security discovered a chain of vulnerabilities that ends with Remote Code Execution in the Accellion Kitework® framework. Kiteworks is a secure file-sharing platform targeted at enterprise audiences that facilitates sharing, syncing, and modifying files between internal and external users on multiple devices.

CVE 2021-31585 was discovered in the administrative functionality, specifically the licensing verification function. The author comments on the probability that the underlying code was not thoroughly audited as other parts of the application were resulting in this vulnerability.

The impact:

An attacker who has managed to gain administrator privileges on the web application can execute arbitrary commands on the underlying host and forge their own signed licences that the application accepts as if it were a legitimate instance.

If an attacker can execute commands on an underlying host, they can also compromise the entire application, exfiltrate any sensitive files hosted on the server and potentially pivot onto internal infrastructure, increasing the attack surface.

The remediation:

The impact is somewhat mitigated by the fact that an attacker must have an Administrator account to achieve remote code execution in the first place. However, it is a reminder that a threat actor is not likely to stop at an administrator account. They will leverage their privileges to accumulate even more until they reach a point where they can attack any user on the network and exfiltrate sensitive information with impunity.

Those who use Kiteworks should patch to versions 7.3.1-ng9 or later. Furthermore, block port 22 if unused and or is non-essential to operations.

Source: ZX Security

Risk Crew