Written By: Ferdi Gül

Contributor: Ferhat Dikbiyik

Welcome to this week’s Focus Friday blog, where we highlight key vulnerabilities and their implications for Third-Party Risk Management (TPRM). As organizations face an ever-evolving cyber threat landscape, staying ahead of critical vulnerabilities in widely-used software becomes crucial. This week, we dive into the vulnerabilities affecting pgAdmin, Keycloak, and Navidrome. These products are widely used in database management, identity access, and media streaming, respectively, and each is exposed to serious security flaws that could jeopardize vendor and organizational data.

Filtered view of companies with pgAdmin FocusTag™ on the Black Kite platform.

We’ll explore each vulnerability through the lens of TPRM, providing insights on risk mitigation, critical questions to ask vendors, and remediation steps. By the end of this blog, you’ll have a clearer understanding of how Black Kite’s FocusTags™ can enhance your TPRM strategies and empower you to respond more effectively to emerging threats.

CVE-2024-9014: OAuth2 Credential Exposure Vulnerability in pgAdmin

What is the pgAdmin OAuth2 Credential Exposure  Vulnerability?

pgAdmin is a popular open-source management tool for PostgreSQL, one of the most widely used open-source relational database systems. pgAdmin provides a graphical user interface (GUI) that allows users to interact with PostgreSQL databases, making it easier to manage, develop, and monitor the databases.

CVE-2024-9014 is a critical vulnerability identified in pgAdmin versions 8.11 and earlier, specifically targeting its OAuth2 authentication mechanism. This flaw allows attackers to potentially obtain the client ID and secret, critical for secure authentication. Once compromised, these credentials can be exploited to gain unauthorized access to sensitive user information, such as database configurations and user data.

The vulnerability, classified as an OAuth2 authentication bypass, is considered critical with a CVSS score of 9.9. First published on September 25, 2024, it currently has no reports of public exploitation or known proof-of-concept (POC) exploit code. It has not been added to the CISA KEV catalog.

Despite the absence of public exploits or attack campaigns, the vulnerability remains highly dangerous due to its potential to lead to large-scale data breaches and system compromise, especially if an exploit becomes available.

Why Should TPRM Professionals Care About the pgAdmin OAuth2 Authentication Vulnerability?

For third-party risk management (TPRM) professionals, vulnerabilities in widely-used tools like pgAdmin present significant risks to vendors managing critical databases. This particular vulnerability affects an authentication mechanism, meaning an attacker could use compromised OAuth2 credentials to impersonate legitimate users and access sensitive data or configurations.

In the context of third-party risk management, if a vendor’s PostgreSQL database configuration is compromised, it could result in unauthorized access to confidential data, potentially impacting the integrity of both the vendor and the organization relying on the data. Furthermore, if vendors fail to patch or mitigate the vulnerability, they might become weak links in the supply chain, leaving organizations exposed.

What Questions Should TPRM Professionals Ask Vendors About the pgAdmin Vulnerability?

To assess the risk of CVE-2024-9014 affecting your vendors, here are key questions you should ask:

  1. Have you identified pgAdmin 8.11 or earlier versions in your environment?
  2. Have you updated pgAdmin to version 8.12 or later to mitigate the OAuth2 vulnerability?
  3. What measures have been taken to rotate OAuth2 credentials used for authentication?
  4. Are you monitoring your database access logs and OAuth2 authentication logs for any suspicious activities?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using affected versions of pgAdmin should take immediate action to secure their systems. Here are some key recommendations:

  1. Update to pgAdmin version 8.12 or later, which addresses the OAuth2 vulnerability.
  2. Rotate OAuth2 client ID and secret to prevent potential unauthorized access.
  3. Implement multi-factor authentication (MFA) for PostgreSQL administrative accounts.
  4. Regularly monitor pgAdmin logs for suspicious behavior, especially related to authentication attempts.
  5. Ensure OAuth2 configurations are secure and regularly audited for potential vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite issued the FocusTag for CVE-2024-9014 on September 25, 2024. TPRM professionals can operationalize this tag by identifying vendors with potential exposure to this critical vulnerability. Black Kite provides asset intelligence, including vulnerable IP addresses and subdomains associated with this vulnerability in vendors’ systems, enabling professionals to target their risk mitigation efforts effectively.

By leveraging Black Kite’s FocusTags™, TPRM professionals can narrow their inquiries to vendors using pgAdmin 8.11 and earlier and provide clear remediation guidelines, reducing the need for broad, time-consuming outreach. For updated vulnerabilities, Black Kite’s continuous monitoring allows for proactive risk management, ensuring organizations stay ahead of emerging threats.

Black Kite’s pgAdmin FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-8698 & CVE-2024-8883: SAML Signature Validation Bypass and Session Hijacking in Keycloak

What are the Keycloak SAML Signature Validation and Session Hijacking Vulnerabilities?

Keycloak is an open-source identity and access management (IAM) solution that provides authentication, authorization, and user management for applications and services. It allows developers to implement Single Sign-On (SSO) across multiple applications, manage user sessions, and integrate with different identity providers such as LDAP, Active Directory, or social logins (e.g., Google, Facebook).

CVE-2024-8698 and CVE-2024-8883 target different aspects of Keycloak’s identity and access management solution.

  • CVE-2024-8698 is a SAML Signature Validation Bypass vulnerability, impacting Keycloak versions that utilize the SAML signature validation feature. It stems from improper signature validation in the XMLSignatureUtil class, where signed elements are incorrectly identified based on their position in the XML document. This flaw allows an attacker to craft malicious SAML responses and bypass signature validation, enabling privilege escalation or impersonation.
  • CVE-2024-8883 is a Session Hijacking Vulnerability, caused by improper validation of the ‘Valid Redirect URI’ settings in Keycloak. If improperly configured (e.g., with ‘http://localhost’ or ‘http://127.0.0.1’), this flaw can allow attackers to redirect users to malicious sites, stealing sensitive information such as authorization codes and leading to session hijacking or unauthorized account access.

Both vulnerabilities pose considerable risks. CVE-2024-8698 has a severity rating of high, with a CVSS score of 7.7 and an EPSS of 0.09%, while CVE-2024-8883 is rated as medium severity, with a CVSS score of 6.1 and an EPSS of 0.49%.

Neither of these vulnerabilities has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and no proof-of-concept (POC) exploit codes are publicly available. While there is no evidence of active exploitation in the wild, the potential severity of these flaws—especially in widely deployed identity and access management systems—means they pose considerable risks to affected organizations.

Why Should TPRM Professionals Care About the Keycloak Vulnerabilities?

TPRM professionals should pay close attention to these vulnerabilities due to the critical role Keycloak plays in many organizations’ authentication and authorization workflows. Keycloak is a popular open-source identity and access management solution used for centralized authentication, single sign-on (SSO), and authorization, particularly in enterprise environments, microservices, and internal applications.

  • CVE-2024-8698, with its potential for privilege escalation and impersonation, poses a risk of unauthorized access to sensitive systems. If exploited, attackers could gain high-level access privileges, leading to data breaches or system compromise.
  • CVE-2024-8883 can lead to session hijacking, which allows attackers to impersonate legitimate users, accessing accounts and potentially compromising secure data.

For TPRM professionals, these vulnerabilities introduce risks not only to vendors utilizing Keycloak but also to downstream organizations relying on those vendors for secure identity management. If vendors fail to patch their systems or implement proper configurations, they could expose your organization to potential breaches or identity-related threats.

What Questions Should TPRM Professionals Ask Vendors About the Keycloak Vulnerabilities?

To assess whether your vendors are impacted by these vulnerabilities, consider asking the following questions:

  1. Are you utilizing Keycloak in your environment for identity and access management?
  2. Have you checked whether the SAML signature validation process is used in your configuration?
  3. Has Keycloak been updated to the latest version (7.6.11 or later) to mitigate the SAML and session hijacking vulnerabilities?
  4. Have you reviewed and validated your ‘Valid Redirect URI’ settings to prevent open redirect attacks?

Remediation Recommendations for Vendors Subject to This Risk

Vendors impacted by these vulnerabilities should take the following actions to mitigate risks:

  1. Ensure that Keycloak is updated to version 7.6.11 or later, which includes patches for both CVE-2024-8698 and CVE-2024-8883.
  2. Review the SAML signature validation process and apply the necessary security patches to prevent bypass attacks.
  3. Validate all ‘Valid Redirect URI’ settings to ensure only trusted URIs are configured, thereby mitigating the risk of session hijacking.
  4. Monitor access logs for unusual authentication attempts or redirect activities, especially those related to SAML and OAuth processes.
  5. Implement multi-factor authentication (MFA) where possible to provide an additional layer of security against hijacking attempts.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite issued the FocusTag for CVE-2024-8698 and CVE-2024-8883 on September 25, 2024. By leveraging Black Kite’s FocusTags™, TPRM professionals can quickly identify vendors using Keycloak with potential exposure to these vulnerabilities. Black Kite provides detailed asset information, including subdomains and IP addresses of vendor systems that may be at risk, helping to narrow the scope of remediation efforts.

This FocusTag allows organizations to focus on vendors with direct exposure, reducing the burden of blanket outreach. TPRM professionals can also use Black Kite’s continuous monitoring to ensure vendors stay updated on newly disclosed vulnerabilities and patched versions of Keycloak.

Black Kite’s Keycloak FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-47062: SQL Injection and Authentication Bypass Vulnerabilities in Navidrome

What are the SQL Injection and Authentication Bypass Vulnerabilities in Navidrome?

Navidrome is a self-hosted music streaming server that allows users to access and play their personal music collections via a web interface or supported third-party clients. It supports a variety of audio formats, including MP3, FLAC, and more, and provides a lightweight, easy-to-use solution for music streaming. Navidrome is designed to run on minimal hardware and can be integrated with mobile and desktop apps that support Subsonic-compatible APIs, making it a popular choice for users who want control over their own music libraries without relying on external streaming services.

CVE-2024-47062 is a critical vulnerability in Navidrome, a popular open-source music streaming server, affecting versions up to and including v0.52.5. This vulnerability enables attackers to exploit SQL injection flaws and authentication bypass weaknesses, posing significant security risks.

  • SQL Injection Vulnerabilities: Attackers can exploit improperly handled URL parameters to inject arbitrary SQL code. By sending specially crafted requests, attackers can extract sensitive data, including user credentials and personal information.
  • Authentication Bypass: A weakness in Navidrome’s authentication mechanism allows attackers to bypass the login process. Using SQL LIKE statements and wildcard characters (e.g., %), attackers can manipulate login credentials and gain unauthorized access.

This vulnerability is rated as critical with a CVSS score of 9.4. First published on September 24, 2024, there is no known exploitation in the wild at this time and it has not yet been added to the CISA KEV catalog as of the time of writing.

These vulnerabilities, if exploited, allow attackers to gain unauthorized access to Navidrome databases, extract sensitive user information, and even brute-force encrypted passwords over time.

Why Should TPRM Professionals Care About the Navidrome Vulnerabilities?

For TPRM professionals, these vulnerabilities in Navidrome introduce significant risks to any organization utilizing the software. Navidrome manages music streaming, but like many open-source applications, it can also handle user data such as login credentials and personal information.

An unpatched instance of Navidrome could serve as an entry point for attackers to compromise vendor databases, retrieve sensitive data, and escalate access privileges. If vendors in your supply chain are running vulnerable versions of Navidrome, the potential data breach could expose not only their internal information but also any customer-related data stored within their systems.

What Questions Should TPRM Professionals Ask Vendors About the Navidrome Vulnerabilities?

To assess the risk that CVE-2024-47062 poses to your organization, ask your vendors the following questions:

  1. Are you currently using Navidrome as part of your streaming or media management solutions?
  2. Have you upgraded to Navidrome version 0.53.0 or later to address the SQL injection and authentication bypass vulnerabilities?
  3. Have you reviewed and secured your URL parameter handling to prevent SQL injection attacks?
  4. What measures have you implemented to monitor and detect potential SQL injection or brute-force authentication attempts in your Navidrome logs?

Remediation Recommendations for Vendors Subject to This Risk

Vendors using Navidrome must take prompt action to mitigate the risk posed by these vulnerabilities:

  1. Upgrade to Navidrome version 0.53.0 or later, which addresses the SQL injection and authentication bypass issues.
  2. Restrict access to Navidrome’s web server by limiting exposure to trusted IP addresses or using secure channels such as VPN for remote access.
  3. Monitor Navidrome logs for any signs of unusual behavior, particularly SQL injection attempts or unauthorized login activity.
  4. Implement input validation for URL parameters to prevent SQL injection attacks in future configurations.
  5. Strengthen the authentication process by enabling multi-factor authentication (MFA) for administrative accounts.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite issued the FocusTag for CVE-2024-47062 on September 24, 2024, allowing TPRM professionals to quickly identify vendors using vulnerable versions of Navidrome. By leveraging this FocusTag, you can gain access to critical asset information, including IP addresses and subdomains tied to vendors running at-risk versions of Navidrome.

With this information, TPRM professionals can prioritize remediation efforts and mitigate risks related to vendors utilizing Navidrome. Black Kite’s continuous monitoring ensures that any future updates or additional vulnerabilities discovered in Navidrome are swiftly communicated, allowing organizations to maintain a proactive stance on security.

Black Kite’s Navidrome FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are a critical tool for enhancing Third-Party Risk Management (TPRM) strategies, particularly when dealing with complex vulnerabilities like those in pgAdmin, Keycloak, and Navidrome. These tags provide:

  • Real-Time Risk Identification: Quickly identifying vendors that are impacted by high-profile vulnerabilities, enabling timely remediation efforts.
  • Risk Prioritization: Allowing organizations to prioritize vulnerabilities based on their severity and the criticality of the vendors affected, ensuring more efficient resource allocation.
  • Informed Vendor Engagement: Equipping TPRM teams with the knowledge needed to engage vendors in meaningful conversations about their exposure and mitigation efforts.
  • Holistic Security Posture Strengthening: Offering a comprehensive view of the evolving threat landscape, helping to build stronger, more adaptive security defenses.

By leveraging Black Kite’s FocusTags™, TPRM professionals can transform complex vulnerability data into actionable intelligence, reducing the risk to the supply chain and ensuring that they remain agile and informed in an ever-changing cybersecurity environment.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

  • pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
  • Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
  • Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.
  • PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
  • FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
  • WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
  • SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
  • Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
  • Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
  • SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
  • Zimbra LFI: CVE-2024-33535, Local File Inclusion Vulnerability in Zimbra Collaboration Suite
  • Exchange Server RCE: CVE-2021-31196, CVE-2021-34473, Remote Code Execution Vulnerabilities in Microsoft Exchange Server
  • Zabbix: CVE-2024-22116, Critical Remote Code Execution Vulnerability in Zabbix Monitoring Solution

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9014

https://securityonline.info/cve-2024-9014-cvss-9-9-pgadmins-critical-vulnerability-puts-user-data-at-risk

https://www.pgadmin.org/news

https://nvd.nist.gov/vuln/detail/CVE-2024-8698

https://nvd.nist.gov/vuln/detail/CVE-2024-8883

https://access.redhat.com/security/cve/cve-2024-8698

https://nvd.nist.gov/vuln/detail/CVE-2024-8275?utm_source=feedly

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-events-calendar/the-events-calendar-664-unauthenticated-sql-injection

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3152853%40the-events-calendar&new=3152853%40the-events-calendar&sfp_email=&sfph_mail=#file18

https://securityonline.info/critical-sql-injection-vulnerability-discovered-in-the-events-calendar-wordpress-plugin-cve-2024-8275

https://nvd.nist.gov/vuln/detail/CVE-2024-47062

https://github.com/navidrome/navidrome/releases/tag/v0.53.2

https://securityonline.info/cve-2024-47062-cvss-9-4-flaws-discovered-in-navidrome-music-server-expose-sensitive-data