CVE-2024-2463: Weak password recovery mechanism in CDeX
Vulnerability detected by me in the CDeX software offered by the company of the same name. The vulnerability allows the interception of the token used to reset the password of any user.
Overview
On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”
Vulnerability description
Access to the platform is possible after logging in through SSO (Single Sign-On) or by using the login credentials, namely the username and password. In case of forgotten passwords, users have at their disposal a password recovery function. However, the request sent in this process does not properly verify the HOST
header, which allows attackers to inject any domain. To exploit this vulnerability, the targeted person must click on the link contained in the received email.
Exploitation scenario
The example of exploiting the vulnerability is presented in the following video:
Timeline
Date | Action |
---|---|
1 February 2024 | Report sent to CDeX |
15 February 2024 | Report sent to CERT Polska |
23 February 2024 | CDeX confirms the vulnerability exists |
11 March 2024 | CDeX releases a software patch |
15 March 2024 | CERT Polska assigns CVE-2024-2463 to this vulnerability |
21 March 2024 | CERT Polska publishes the vulnerability |
How to prevent similar vulnerabilities in your application
To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header in server-side code. Carefully check whether each URL needs to be absolute. Often, you may find that a relative URL can be used instead. More information on how to prevent such attacks can be found at this link.