CVE-2024-54792
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in SpagoBI v3.5.1 allows authenticated attackers to trick other authenticated users into performing unauthorized user administration actions. This affects all users of SpagoBI v3.5.1 who have access to the user administration panel. Attackers can manipulate victims into adding, editing, or deleting user accounts without their knowledge.
💻 Affected Systems
- SpagoBI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain administrative privileges by tricking an admin into creating a new admin account, then use that access to compromise the entire system, exfiltrate data, or deploy ransomware.
Likely Case
Attackers create unauthorized user accounts with elevated privileges, leading to data theft, privilege escalation, or lateral movement within the network.
If Mitigated
With proper CSRF protections and user awareness, the attack would fail, resulting in no impact beyond failed requests in logs.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious webpage while logged into SpagoBI. The GitHub repository contains proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch is available. Consider upgrading to a newer version if one exists, or implement CSRF tokens in the user administration panel as a custom fix.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd CSRF tokens to all forms and state-changing requests in the user administration panel to validate legitimate requests.
Modify SpagoBI source code to include CSRF tokens in forms and validate them on the server side.
Use SameSite Cookies
allConfigure session cookies with the SameSite attribute to prevent cross-site requests.
Set session cookie attributes: SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Restrict access to the user administration panel to only trusted administrators using network segmentation or IP whitelisting.
- Implement user awareness training to prevent clicking on suspicious links while logged into SpagoBI.
🔍 How to Verify
Check if Vulnerable:
Test if the user administration panel forms lack CSRF tokens by inspecting HTTP requests or using tools like Burp Suite to replay requests without referrer validation.Check Version:
Check the SpagoBI version in the web interface or configuration files, typically in /WEB-INF/version.properties or similar.Verify Fix Applied:
Verify that all forms in the user administration panel include unique CSRF tokens and that requests are rejected without valid tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation or modification events from unexpected IP addresses or user agents
- Multiple failed CSRF token validation attempts in application logs
Network Indicators:
- HTTP POST requests to user administration endpoints without CSRF tokens or with mismatched referrers
SIEM Query:
source="spagobi.log" AND (event="user_created" OR event="user_modified" OR event="user_deleted") AND NOT user_agent="expected_browser"