CVE-2024-2465: Open redirect in CDeX

Vulnerability detected by me in the CDeX software offered by the company of the same name. The vulnerability allows to redirect users to arbitrary websites via a specially crafted URL.

Apr 4, 2024 2 min read
CVE-2024-2465: Open redirect in CDeX

Overview

On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”

Vulnerability description

The vulnerability exploits flaws in the validation of the redirect parameter in the URL, allowing attackers to manipulate the redirection parameters in such a way that the victim is unknowingly redirected to a malicious site. Such action can lead to data theft, phishing attacks, or other dangerous scenarios exploiting the user’s trust in the original application. Effective exploitation of this vulnerability depends on the victim’s interaction, who must click on a manipulated link, often sent via email or online messengers.

Exploitation scenario

The example of exploiting the vulnerability is presented in the following video:

Timeline

DateAction
1 February 2024Report sent to CDeX
15 February 2024Report sent to CERT Polska
23 February 2024CDeX confirms the vulnerability exists
11 March 2024CDeX releases a software patch
15 March 2024CERT Polska assigns CVE-2024-2465 to this vulnerability
21 March 2024CERT Polska publishes the vulnerability

How to prevent similar vulnerabilities in your application

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

  • Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
  • Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

  • The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
  • The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
  • The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

References

  1. https://cert.pl/en/posts/2024/03/CVE-2024-2463/
  2. https://cdex.cloud/
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2465
  4. https://portswigger.net/kb/issues/00500100_open-redirection-reflected
CVE-2024-2465 Vulnerability Web CDeX