Researchers have uncovered several vulnerabilities in the Lansweeper IT asset management platform that could allow an attacker to inject malicious code on a targeted device.
The four vulnerabilities affect version 18.104.22.168 of the Lansweeper platform. Lansweeper is widely used in enterprises for asset discovery, management, and security management. Researchers at Cisco Talos discovered the flaws and reported them to Lansweeper, which released an update to address them on Feb. 21.
Each of the vulnerabilities is in an individual .aspx file and an attacker could send a malicious HTTP request to a vulnerable device to inject malicious code. Three of the vulnerabilities are SQL injection bugs, while the other is a cross-site scripting vulnerability.
“The HTTP request can trigger an error that eventually allows the attacker to inject SQL code. An adversary needs to be authenticated and have proper permissions to exploit these vulnerabilities,” the Talos advisory says.
“Users are encouraged to update these affected products as soon as possible: Users are encouraged to update these affected products as soon as possible: Lansweeper version 22.214.171.124. Talos tested and confirmed this version is affected by these vulnerabilities. Lansweeper 9.2.0 incorporates fixes for these issues.”
“An attacker controlling parameters value and name is able to set new values for table fields such as loginmessage and loginfootertext. There is a sanitization attempt for both mentioned fields in line 240 before they get updated with a value of parameter value == text4. Unfortunately this check is not proper, and we can simply bypass it by setting e.g value of name == text5 to e.g Loginmessage or loginmessage. In such a way, none of the characters used by us will be removed in line 153,” the advisory says.
“Simultaneously, we bypass the check text5 == loginmessage. As a consequence we can insert controlled data into the database without any sanitization. To trigger this vulnerability, an attacker needs to be authenticated and have permissions to change loginlayout fields. Injected code will be automatically triggered each time when a user visits the lansweeper login page.”
Customers should upgrade to Lansweeper 9.2.0 as soon as possible to protect against attacks on these flaws.