CVE-2024-2463: Weak password recovery mechanism in CDeX

Overview

On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”

Vulnerability description

Access to the platform is possible after logging in through SSO (Single Sign-On) or by using the login credentials, namely the username and password. In case of forgotten passwords, users have at their disposal a password recovery function. However, the request sent in this process does not properly verify the HOST header, which allows attackers to inject any domain. To exploit this vulnerability, the targeted person must click on the link contained in the received email.

Exploitation scenario

The example of exploiting the vulnerability is presented in the following video:

Timeline

How to prevent similar vulnerabilities in your application

To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header in server-side code. Carefully check whether each URL needs to be absolute. Often, you may find that a relative URL can be used instead. More information on how to prevent such attacks can be found at this link.

References

1. https://cert.pl/en/posts/2024/03/CVE-2024-2463/
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2463
3. https://cdex.cloud/
4. https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
5. https://portswigger.net/web-security/host-header#how-to-prevent-http-host-header-attacks