Researchers discovered numerous vulnerabilities in the credential manager “Passwordstate” that could leave stored passwords exposed. The vendors patched the flaws before active exploitation attempts, thus preventing the risk.
Passwordstate Vulnerability Exposing Credentials
According to an advisory from Swiss cybersecurity firm modzero AG, their researchers caught multiple security issues in Passwordstate.
Passwordstate is an enterprise password management solution from ClickStudios with a prominent customer base, including some Fortune 500 companies.
Specifically, they found at least seven security issues in the Passwordstate app and Chrome extension. The researchers believed that an attacker could even exploit these vulnerabilities in a chained manner to gain a shell on the Passwordstate host system and retrieve plaintext credentials.
About the vulnerabilities
The most important vulnerabilities affecting the tool include,
- CVE-2022-3875 (CVSS 9.1): a critical severity authentication bypass vulnerability in Passwordstate API. An unauthenticated adversary could modify an assumed-immutable API token to exploit the flaw, which only required the attacker to know the target’s username.
- CVE-2022-3876 (CVSS 6.5): a medium severity authorization bypass allowing an authenticated attacker to bypass access controls and modify a target’s password entries. Exploiting this vulnerability required the attacker to have authenticated access to the tool and know the target’s PasswordID or PasswordListID.
- CVE-2022-3877 (CVSS 5.7): an authenticated attacker could exploit this cross-site scripting (XSS) vulnerability to gain elevated privileges and read passwords. This vulnerability existed in the password entry URL due to improper input neutralization.
Besides, their advisory also mentions the following four vulnerabilities without CVE IDs.
- Failed stored password protection due to server-side symmetric encryption implementation instead of end-to-end encryption. An attacker with access to a Passwordstate instance host could retrieve the symmetric encryption keys and access passwords in plaintext. Although, this isn’t a newly reported flaw, as Northwave Security had reported it earlier too. At that time, Passwordstate officials tried to address this issue by obscuring, but it remained possible for an ardent attacker to reverse engineer the mitigation.
- The researchers noticed the presence of hard-coded credentials in the software’s webcharts API, allowing an adversary to retrieve audited events.
- Exposed credentials of password secured lists in HTML source code could let an authenticated attacker retrieve passwords from the lists’ template.
- Improper authorization in the Passwordstate browser extension could allow an attacker to access stored passwords. Exploiting this vulnerability required the attacker to trick the victim into visiting a maliciously crafted web page.
Passwordstate Patched The Flaws
The researchers discovered the Passwordstate security issues in August 2022, after which they reported the matter to Click Studios. Consequently, the vendors acknowledged the report and started developing the patches.
According to modzero, the vulnerabilities typically affected Passwordstate 9.5 (build 9583 and earlier) and Passwordstate browser extension version 9.5.8.4. The vendors fixed the flaws with the release of Passwordstate 9.6 Build 9653.
Nonetheless, according to its website, this isn’t the latest software version, which states Build 9655 as the recent one. So, all Passwordstate users must ensure upgrading to the latest available version to receive all bug fixes.
Let us know your thoughts in the comments.