Problem:
Connection Suite 2.3x is a web application that makes use of Adobe Flash. The web application implements 2FA by using a numeric challenge/response. When logging into the application, the user is presented with a 2FA challenge ("Security code nr:") and has to respond with a 6 digit number. The challenge/response pairs are stored in the Flash application itself, making it easy for an attacker to look up the response. Also, the 2FA requirement can be completely skipped by altering a response from the server. Incorrect Access Control in the Adobe Flash client allows Escalation of Privileges.
Fix:
Connection Suite version 3.0.0 and later no longer utilises Adobe Flash, and client-side 2FA is removed. Dualog Connection Suite 3.0 was released on December 8, 2020. See Connection Suite 3.0 release notes here.
Source
This vulnerability was found by PenTestPartners (PTP) during a random security testing.
Comments
Article is closed for comments.