CVE-2022-45178
📋 TL;DR
This CVE describes a broken access control vulnerability in LIVEBOX Collaboration vDesk that allows authenticated SAML users to escalate privileges from low-privilege accounts to administrative roles. Attackers can create new users, modify settings, and gain administrator access through multiple API endpoints. Organizations using affected vDesk versions are at risk.
💻 Affected Systems
- LIVEBOX Collaboration vDesk
📦 What is this software?
Vdesk by Liveboxcloud
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrator access, create backdoor accounts, modify all system settings, and potentially access sensitive collaboration data across the organization.
Likely Case
Privilege escalation leading to unauthorized administrative access, user creation, and configuration changes that could disrupt business operations and expose sensitive information.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring that detects unusual privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access as a SAML user but involves simple API calls to vulnerable endpoints
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.gruppotim.it/it/footer/red-team.html
Restart Required: No
Instructions:
Check vendor advisory for updates. Upgrade to version beyond v018 when available. Monitor vendor communications for patch release.
🔧 Temporary Workarounds
Restrict API Endpoint Access
allImplement network-level restrictions to block access to vulnerable endpoints from non-admin users
Enhanced Authentication Controls
allImplement multi-factor authentication and strict session management to reduce risk of credential compromise
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vDesk systems from critical infrastructure
- Deploy web application firewall rules to block suspicious API calls to affected endpoints
🔍 How to Verify
Check if Vulnerable:
Check vDesk version against affected range (through v018). Test API endpoints for access control bypass using authenticated low-privilege SAML accounts.Check Version:
Check vDesk administration panel or configuration files for version informationVerify Fix Applied:
Verify version is beyond v018. Test that low-privilege users cannot access administrative endpoints or create/modify users.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to /api/v1/vdeskintegration/saml/user/createorupdate from non-admin users
- Multiple user creation/modification events from single low-privilege account
- Access to /settings/* endpoints from non-administrative users
Network Indicators:
- HTTP POST requests to vulnerable endpoints from unexpected source IPs
- Unusual patterns of API authentication and privilege changes
SIEM Query:
source="vdesk" AND (uri_path="/api/v1/vdeskintegration/saml/user/createorupdate" OR uri_path="/settings/guest-settings" OR uri_path="/settings/samlusers-settings" OR uri_path="/settings/users-settings") AND user_role!="admin"