You have not given any consents yet.
BE3D Academy
An online collection of 3D lesson plans, models and tutorials. BE3D Academy
is part of the YSoft BE3D eDee solution for 3D printing in Education.
Partner Portal
A secure zone for Y Soft Partners. Not a Partner? Contact us.

LDAPS encryption downgrade attack vulnerability  

 

CVE-2023-35833 

 
 

Assigning CNA: Mitre
 

CVSS:3.1:8.4
 

MITRE CVE-2023-35833
 

Initial Reporter: This vulnerability was responsibly reported to Y Soft by Wouter Arts and Geert Braakhekke from WTH Security BV.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35833 


Affected Versions: All YSoft SAFEQ 6 Server versions 6.0.81 and lower.

 

Base Score Metrics

 

 

Attack Vector: Network 
 

Attack Complexity: Low 
 

Privileges Required: High 
 

User Interaction: Required 
 

Scope: Changed 
 

Impact Metrics: 
 

Confidentiality: High 
 

Integrity: High 
 

Availability: High 

 

Temporal Score Metrics 

 
 

Exploit Code Maturity: Functional exploit exists 
 

Remediation Level: Official fix
 

Report Confidence: Confirmed 

 

Executive Summary 

 

An issue was discovered in YSoft SAFEQ 6 Server. When modifying the URL of the LDAP server configuration from LDAPS to LDAP, the system does not require the password to be (re)entered. This results in exposing cleartext credentials when connecting to a rogue LDAP server.

 

Description of the attack

 

The nature of the attack is detailed below.
 

  1. The attack scenario involves an existing secure SAFEQ environment using LDAPS.
  2. An unsecured rogue LDAP service is set up by the attacker.
  3. The attacker manipulates (social engineers) a legitimate SAFEQ admin into connecting to the rogue LDAP service instead of using LDAPS.
  4. Subsequently, the attacker gains the ability to read the connection account information of the actual customer's LDAPS server.

 

It's crucial to note that any admin using LDAP instead of LDAPS would inadvertently leak user information to the network. We strongly advise customers to refrain from using LDAP if they wish to maintain a secure environment. SAFEQ only needs READ permissions on the access account, so any of those user accounts can be used for the same attack.

 

Fix

The nature of the bugfix is that we now delete the password from the UI when we change from LDAPS to LDAP. However, it is important to acknowledge that the bugfix alone may not prevent an attacker from sniffing out user information if they manage to force the admin to connect to their rogue LDAP.

 

Patching

Our recommendation to ensure your system's security is to update to the latest available build (Build 82 and newer), where this issue has already been resolved.

US