Patch management

Deskpro XSS flaws could hijack admin sessions, take over helpdesk agent accounts

Hackers could have exploited cross-site scripting vulnerabilities found in popular helpdesk platform Deskpro to hijack the sessions of administrators and takeover the accounts of helpdesk agents.

This would give the attackers the same privileges as admins and agents in terms of what they could execute or information they are exposed to, according to a blog by the Checkmarx researchers who found the flaw while auditing the platform. In certain cases, attackers could have reset the entire helpdesk, wiping all system data.

Given the shift to remote work and the need for helpdesk software that lets remote teams collaborate, Checkmarx audited Deskpro’s security as part of the company’s bug bounty program. Checkmarx researchers said attackers could exploit the issue in two ways:

Administrator session hijacking. This flaw had a CVSS score of 8.8, which security pros consider high. The issue was found in Deskpro version 2020.2.9 running in a docker container using the official Deskpro docker image. Even so, the underlying problem – a stored XSS vulnerability – also affects the cloud version. Malicious users can execute arbitrary code in the victim’s browser to exfiltrate the session token. With the token in hand, malicious users could hijack victims’ sessions and execute actions on their behalf.

Agent account takeover. This vulnerability was assigned a CVSS score of 8.1, also considered high. The issue was found in Deskpro 2020.2.9, running in a docker container using the official Deskpro docker image. Also in this instance, the stored XSS vulnerability affects the cloud version. Malicious users can execute arbitrary code in the victim’s browser, allowing them to take over a victim’s account.

This find again proves that there’s no such thing as error-free code, said Dirk Schrader, global vice president at New Net Technologies. Deskpro was quick in reacting to Checkmarx and in fixing the issue, he said, while asking for a 90-day hold period, which he said was reasonable to get the majority of installations patched.

“As usual, attackers will find those who haven’t heard the call,” Schrader said. “Controlling all changes to your environment ensures detection of unwanted changes, and scanning for vulnerabilities regularly with an up-to-date scanner ensures that – should the call for patching have been missed – another alarm gets raised.”

prestitial ad