CVE-2024-2465: Open redirect in CDeX
Vulnerability detected by me in the CDeX software offered by the company of the same name. The vulnerability allows to redirect users to arbitrary websites via a specially crafted URL.
Overview
On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”
Vulnerability description
The vulnerability exploits flaws in the validation of the redirect
parameter in the URL, allowing attackers to manipulate the redirection parameters in such a way that the victim is unknowingly redirected to a malicious site. Such action can lead to data theft, phishing attacks, or other dangerous scenarios exploiting the user’s trust in the original application. Effective exploitation of this vulnerability depends on the victim’s interaction, who must click on a manipulated link, often sent via email or online messengers.
Exploitation scenario
The example of exploiting the vulnerability is presented in the following video:
Timeline
Date | Action |
---|---|
1 February 2024 | Report sent to CDeX |
15 February 2024 | Report sent to CERT Polska |
23 February 2024 | CDeX confirms the vulnerability exists |
11 March 2024 | CDeX releases a software patch |
15 March 2024 | CERT Polska assigns CVE-2024-2465 to this vulnerability |
21 March 2024 | CERT Polska publishes the vulnerability |
How to prevent similar vulnerabilities in your application
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:
- Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
- Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
- The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
- The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
- The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.