Critical zero-day vulnerabilities found in ‘unsupported’ Fedena school management software


Adam Bannister

07 June 2021 at 13:12 UTC

Updated: 07 June 2021 at 13:25 UTC

Users urged to migrate to alternative application, with open source project long since abandoned

Fedena, an open source school and college management system, contains a raft of zero-day vulnerabilities, with one potentially leading to remote code execution (RCE).

With the project seemingly abandoned, researchers from UK infosec company Pentest Limited who unearthed the flaws have urged users “to migrate to a supported product as soon as possible”.

Seven security vulnerabilities were found in all, including two critical, unauthenticated bugs.

Read more of the latest web security research news

With one, threat actors can “execute commands on the operating system using publicly available tooling and available knowledge”, while an authentication bypass flaw means an attacker can take over the admin account “by cookie spoofing using publicly available knowledge”, according to a Pentest blog post released last week.

The root cause of both issues is server-side secrets being “shared between all deployments”.

‘Significant vulnerabilities’

The other five Fedena flaws, exploitable only by authenticated attackers, relate to SQL injection, broken access controls, and a trio of cross-site scripting (XSS) issues.

These “significant vulnerabilities were relatively easy to locate and exploit”, said Pentest.

This was particularly concerning given “each exposed installation contains children’s personal information”.

RECOMMENDED Korenix patches multiple critical vulnerabilities in networking devices

Upon the 2013 release of the latest, apparently final version, the then maintainers of Fedena said it powered more than 40,000 institutions worldwide – although Pentest researchers said they found only 30 internet-facing instances online in 2020.

However, researchers also observed “multiple open source and commercial forks” of concern, with a company called Foradian now selling a commercial version known as Fedena Pro, while a ‘Sampoorna’ fork is apparently maintained for use in Kerala, India by 15,000 schools with more than seven million students.

Unfortunately, said Pentest, the vendors involved would not authorize testing.

Mitigation

In lieu of migration to an alternative platform, Pentest said users could mitigate the critical vulnerabilities by stopping the Fedena application server, altering the secret using a securely generated random string, and restarting the server.

The other vulnerabilities could be “significantly” mitigated, meanwhile, by “using network segregation and/or VPN controls” – although Pentest admitted this might cause usability issues.

However, Pentest warned that Fedena “relies on seriously outdated Rail Gems”, and regardless of mitigations, “will remain a security risk wherever it is used”.

“Migration to a new solution is the only way to [truly] secure unsupported software,” Paul Ritchie, lead researcher on the Fedena flaws, told The Daily Swig. “That is not always practical and may require long term planning.

“In the interim”, he says, users should ideally decouple assets from Windows domains to reduce the value to an attacker or use access controls to “limit visibility of the host or service as far as possible”.

Disclosure timeline

The flaws were discovered in the latest version of Fedena (v2.3) in April 2020 during one of Pentest’s Hackathon events.

ProjectFedena.org did not respond to queries sent by The Daily Swig via its contact form and has not been active on the Fedena GitHub repository in the last eight years.

YOU MIGHT ALSO LIKE Microsoft debuts Automatic HTTPS for Edge in secure browsing upgrade

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here