CVE-2019-5644 – CVE-2019-5644 is an improper access control vul... (How to Fix)

Q: What is the severity of CVE-2019-5644?

CVE-2019-5644 has a CVSS score of 10.0 (CRITICAL). CVE-2019-5644 is an improper access control vulnerability in Computing For Good's Basic Laboratory Information System (C4G BLIS) that allows unauthenticated attackers to modify user accounts, including elevating privileges to administrator. This affects all users of C4G BLIS version 3.5 and earlier. The vulnerability stems from insufficient authorization checks on account modification endpoints.

📋 TL;DR

CVE-2019-5644 is an improper access control vulnerability in Computing For Good's Basic Laboratory Information System (C4G BLIS) that allows unauthenticated attackers to modify user accounts, including elevating privileges to administrator. This affects all users of C4G BLIS version 3.5 and earlier. The vulnerability stems from insufficient authorization checks on account modification endpoints.

💻 Affected Systems

Products:

Computing For Good Basic Laboratory Information System (C4G BLIS)

Versions: Version 3.5 and earlier

Operating Systems: Any OS running C4G BLIS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Computing For Good\'s Basic Laboratory Information System by Gatech

View all CVEs affecting Computing For Good\'s Basic Laboratory Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains administrative control, modifies all user accounts, accesses sensitive laboratory data, and potentially disrupts laboratory operations.

🟠

Likely Case

Attackers gain administrative privileges, modify user accounts, and access sensitive patient/laboratory data stored in the system.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though the vulnerability still exists in the application.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated exploitation, making internet-facing instances extremely vulnerable to remote attacks.

🏢 Internal Only: HIGH - Even internally, any user with network access to the system can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The Rapid7 blog provides technical details that could be used to create exploits. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.6 or later

Vendor Advisory: https://blog.rapid7.com/2019/09/10/r7-2019-09-cve-2019-5617-cve-2019-5643-cve-2019-5644-c4g-blis-authentication-and-authorization-vulnerabilities-fixed/

Restart Required: Yes

Instructions:

1. Download C4G BLIS version 3.6 or later from the official source. 2. Backup your current installation and database. 3. Replace the existing installation with the patched version. 4. Restart the application server. 5. Verify that the vulnerability is no longer present.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the C4G BLIS application to only trusted IP addresses or internal networks.

Use firewall rules to limit access (e.g., iptables -A INPUT -p tcp --dport [BLIS_PORT] -s [TRUSTED_IP] -j ACCEPT)

Web Application Firewall (WAF)

all

Deploy a WAF to block requests attempting to exploit the account modification endpoints.

Configure WAF rules to block requests to user account modification endpoints without proper authentication

🧯 If You Can't Patch

Isolate the C4G BLIS system on a segmented network with strict access controls
Implement comprehensive logging and monitoring for unauthorized account modification attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access account modification endpoints (e.g., /api/user/update) without authentication. If successful, the system is vulnerable.

Check Version:

Check the application interface or configuration files for version information. Typically visible in the web interface footer or about page.

Verify Fix Applied:

After patching, attempt the same unauthenticated access to account modification endpoints. Requests should be rejected with proper authorization errors.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST/PUT requests to user account endpoints
Unusual account privilege changes
Multiple failed authentication attempts followed by successful account modifications

Network Indicators:

Unusual traffic patterns to account modification endpoints from unauthenticated sources

SIEM Query:

source="c4g_blis_logs" AND (uri_path="/api/user/update" OR uri_path="/api/user/modify") AND http_status=200 AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2019-5644

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-284

Published: November 6, 2019

Last Updated: November 21, 2024

🔗 References

https://blog.rapid7.com/2019/09/10/r7-2019-09-cve-2019-5617-cve-2019-5643-cve-2019-5644-c4g-blis-authentication-and-authorization-vulnerabilities-fixed/ Exploit,Third Party Advisory
https://blog.rapid7.com/2019/09/10/r7-2019-09-cve-2019-5617-cve-2019-5643-cve-2019-5644-c4g-blis-authentication-and-authorization-vulnerabilities-fixed/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5644, you might also want to check these: