CVE-2022-45177
📋 TL;DR
This vulnerability in LIVEBOX Collaboration vDesk allows attackers to infer internal system state information through observable response discrepancies at specific API endpoints. It affects all users of vDesk through version v031, enabling unauthorized actors to potentially gather sensitive information about user accounts and system configuration.
💻 Affected Systems
- LIVEBOX Collaboration vDesk
📦 What is this software?
Vdesk by Liveboxcloud
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate valid user accounts, determine account statuses, and gather reconnaissance data for further attacks, potentially leading to account takeover or data breaches.
Likely Case
Information disclosure allowing attackers to identify active users, account statuses, and potentially other system details that could aid in targeted attacks.
If Mitigated
Limited information leakage with no direct access to sensitive data, but still providing reconnaissance value to attackers.
🎯 Exploit Status
Exploitation requires only HTTP requests to specific endpoints and observation of response differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after v031
Vendor Advisory: https://www.gruppotim.it/it/footer/red-team.html
Restart Required: Yes
Instructions:
1. Contact LIVEBOX Collaboration vendor for patched version. 2. Backup current configuration. 3. Apply vendor-provided patch or upgrade to version after v031. 4. Restart vDesk services. 5. Verify fix implementation.
🔧 Temporary Workarounds
Endpoint Restriction
allRestrict access to vulnerable endpoints using web application firewall or reverse proxy rules.
# Example nginx location block to block endpoints
location ~ ^/api/v1/(vdeskintegration/user/isenableuser|sharedsearch|login) {
deny all;
return 403;
}
Rate Limiting
allImplement strict rate limiting on API endpoints to prevent automated enumeration.
# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
location /api/ {
limit_req zone=api burst=5 nodelay;
proxy_pass http://vdesk_backend;
}
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vDesk API endpoints to authorized users only.
- Deploy web application firewall with rules to detect and block suspicious patterns of requests to the affected endpoints.
🔍 How to Verify
Check if Vulnerable:
Send requests to /api/v1/vdeskintegration/user/isenableuser, /api/v1/sharedsearch?search={NAME}+{SURNAME}, and /login endpoints with different parameters and observe if responses differ in ways that reveal internal state information.Check Version:
Check vDesk administration interface or contact vendor for version information.Verify Fix Applied:
After patching, test the same endpoints and verify responses no longer leak internal state information through observable discrepancies.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of requests to /api/v1/vdeskintegration/user/isenableuser
- Multiple failed login attempts with different usernames
- High volume of requests to /api/v1/sharedsearch endpoint
Network Indicators:
- Unusual traffic patterns to API endpoints from single IP addresses
- Repeated requests with incremental parameters
SIEM Query:
source="vdesk_logs" AND (uri_path="/api/v1/vdeskintegration/user/isenableuser" OR uri_path="/api/v1/sharedsearch" OR uri_path="/login") | stats count by src_ip, uri_path