Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.
"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG said in a report published this week.
"Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username."
Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.
One of the flaws also impacts Passwordstate version 9.5.8.4 for the Chrome web browser. The latest version of the browser add-on is 9.6.1.2, which was released on September 7, 2022.
The list of vulnerabilities identified by modzero AG is below -
- CVE-2022-3875 (CVSS score: 9.1) - An authentication bypass for Passwordstate's API
- CVE-2022-3876 (CVSS score: 6.5) - A bypass of access controls through user-controlled keys
- CVE-2022-3877 (CVSS score: 5.7) - A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
- No CVE (CVSS score: 6.0) - An insufficient mechanism for securing passwords by using server-side symmetric encryption
- No CVE (CVSS score: 5.3) - Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
- No CVE (CVSS score: 4.3) - Use of insufficiently protected credentials for Password Lists
Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.
What's more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.
In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.
Users are recommended to update to Passwordstate 9.6 - Build 9653 released on November 7, 2022, or later versions to mitigate the potential threats.
Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service's update mechanism to drop a backdoor on customer's machines.
