Critical Software Vulnerabilities Impacting Credit Unions Discovered by LMG Security Researcher: Immediate Action Recommended
UPDATE: After this announcement, CU Solutions Group (CUSG) contacted LMG Security to share the good news that they had already pushed out an update to all CUSG CMS product users that remediated all three vulnerabilities listed in this 2/13/24 press release. CUSG also shared that they will add new proactive prevention processes to further enhance their security moving forward. This serves as a good reminder that routine penetration testing is a best practice to catch these security gaps before a breach, especially in commonly overlooked web and cloud applications.
MISSOULA, Mont., February 13, 2024 – LMG Security, an internationally recognized cybersecurity consulting firm, has discovered three new critical software vulnerabilities that pose a significant threat to hundreds of organizations in the United States. Emily Gosney, a cybersecurity consultant at LMG Security, discovered these vulnerabilities in a CU Solutions Group (CUSG) Content Management System (CMS) web application that is primarily used by credit unions to manage content. A malicious user could leverage these vulnerabilities to gain “ultra admin” access to any organization running this application. These vulnerabilities pose a significant threat to hundreds of organizations across the United States.
“Impacted organizations using versions prior to v7.75 of this web application are urged to upgrade, and organizations using any version of CUSG’s CMS should enable multi-factor authentication immediately,” said Emily Gosney, cybersecurity consultant at LMG Security. The identified vulnerabilities have been assigned the following CVE IDs:
- CVE-2023-48985: A reflected cross-site scripting vulnerability in the CUSG CMS admin portal login page ‘login.php’ could enable an unauthenticated malicious actor to intercept login credentials for the CMS admin portal. This vulnerability could be chained with CVE-2023-48987 to form a complete “zero to ultra admin” kill chain.
- CVE-2023-48986: A reflected cross-site scripting vulnerability in ‘users.php’ within the CUSG CMS admin portal could enable a lower privileged malicious actor to elevate privileges or trick a user of a higher privilege level to perform unintended actions within the admin portal.
- CVE-2023-48987: A blind SQL injection vulnerability in ‘pages.php’ within the CUSG CMS admin portal could enable an authenticated malicious actor to gain full read/write access to the backend database and leverage it to obtain the “ultra admin” password, which grants access to any organization running this CMS that does not have multi-factor authentication enabled.
“The ‘ultra admin’ account is a vendor backdoor account that grants access to every installation of this application globally,” Gosney continued. “Just one organization running an outdated version of CUSG’s CMS can put all other users at risk, including those who are already running the latest version.”
To protect themselves from a data breach, Gosney advises, “Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the ‘ultra admin’ password from logging into their CUSG CMS application portal.” This discovery was reported to CUSG with more than the standard 90-day window to fix the issue before this announcement. Read our press background materials at https://www.LMGsecurity.com/press-background-cusg-vulnerability-2-13-24/
Gosney recommends that organizations stay vigilant about supplier security standards for their current and prospective suppliers. She also recommends organizations conduct penetration testing that includes web application and cloud environments at least annually so experts can identify your security gaps before an attacker uses them to breach your environment. LMG Security’s discovery and disclosure of these vulnerabilities reaffirm our commitment to cybersecurity and building a safer, more secure web. LMG Security responsibly disclosed all three vulnerabilities to CUSG, and the software provider may have addressed these vulnerabilities in its application v7.75.
UPDATE: After this announcement, CU Solutions Group (CUSG) contacted LMG Security to share the good news that they had already pushed out an update to all CUSG CMS product users that remediated all three vulnerabilities listed in this 2/13/24 press release. CUSG also shared that they will add new proactive prevention processes to further enhance their security moving forward. This serves as a good reminder that routine penetration testing is a best practice to catch these security gaps before a breach, especially in commonly overlooked web and cloud applications.
ABOUT LMG Security
LMG Security is an internationally recognized leader in cybersecurity consulting, specializing in penetration testing, advisory and compliance services, cybersecurity solutions, and training. Over the past 15 years, the LMG Security team has been featured on the Today show and team members have been quoted in the New York Times, Wall Street Journal, and many other publications. In addition, the team has published cutting-edge research, written books on ransomware and cyber extortion, network forensics, and data breaches, and routinely speak at Black Hat, RSA and many other security conferences. For more information visit LMGsecurity.com or follow LMG Security on LinkedIn.
Contact:
Leslie Bishop
+1-406-830-3165