CU Solutions Group Vulnerability Press Release – Additional Background
UPDATE: After this announcement, CU Solutions Group (CUSG) contacted LMG Security to share the good news that they had already pushed out an update to all CUSG CMS product users that remediated all three vulnerabilities listed in this 2/13/24 press release. CUSG also shared that they will add new proactive prevention processes to further enhance their security moving forward. This serves as a good reminder that routine penetration testing is a best practice to catch these security gaps before a breach, especially in commonly overlooked web and cloud applications.
Definitions
Cross-Site Scripting (XSS) is a security vulnerability that allows malicious actors to inject arbitrary HTML and JavaScript code into web pages viewed by other users, potentially enabling them to steal data or impersonate the victim.
SQL Injection (SQLi) is a security vulnerability that allows malicious actors to supply web pages with specially crafted user input data that directly influences the underlying SQL database query, potentially enabling them to steal or modify data contained within the database.
A Content Management System (CMS) is a software platform that enables users to create, manage, and edit content on a website without needing specialized technical knowledge.
CVE Overview
LMG Security’s Cybersecurity Consultant Emily Gosney found three critical security vulnerabilities in the CU Solutions Group (CUSG) Content Management System (CMS) product that impacts hundreds of organizations. Impacted customers should take immediate action.
The vulnerabilities identified are as follows.
CVE-2023-48987: A blind SQL injection vulnerability in ‘pages.php’ within the CMS admin portal could enable an authenticated malicious actor to gain full read/write access to the backend database, leading to a complete compromise of confidentiality, integrity, and availability of web content. A malicious actor with minimal privileges within the admin portal could leverage this vulnerability to elevate privileges. Most concerning, however, is the fact that a malicious actor could leverage this vulnerability to dump the “taft_user_master” table which contains usernames and hashed passwords for the backdoor user accounts that CUSG employees utilize to access their customers’ admin portals, including the global “ultra admin” account. This table is populated from a template upon installation, indicating that every CMS customer has an identical copy of this table, and thus the credentials in this table are valid for every CMS customer. Additionally, the password hashes in this table are exceptionally easy to crack due to the use of weak and reused passwords, which means that a breach of any one of CUSG’s customer’s CMS environments can enable a malicious actor to gain “ultra admin” access to any other CMS customer that does not have Multi-Factor Authentication (MFA) enabled. This vulnerability underscores a systemic risk across all CMS installations globally.
CVE-2023-48985: A reflected cross-site scripting vulnerability in ‘login.php’, which is the CMS admin portal login page, could enable an unauthenticated malicious actor to intercept login credentials for the CMS admin portal. This vulnerability could be chained with CVE-2023-48987 to form a complete “zero to admin” kill chain.
CVE-2023-48986: A reflected cross-site scripting vulnerability in ‘users.php’ within the CMS admin portal. A lower privileged actor could leverage this vulnerability to elevate privileges or trick a user of a higher privilege level to perform unintended actions within the admin portal.
LMG Security’s discovery and disclosure of these vulnerabilities reaffirm our commitment to cybersecurity and building a safer, more secure web. LMG Security responsibly disclosed all three vulnerabilities to CUSG in October 2023, and they may have addressed these vulnerabilities in CU Solutions Group CMS v7.75. LMG Security urges all credit unions who use affected versions of CUSG’s Content Management System to:
- Upgrade immediately to CUSG CMS v7.75.
- Turn on multi-factor authentication in the CUSG CMS.
- Contact CUSG for more information on any additional remediation steps. LMG Security contacted the CU Solutions Group to confirm remediation details and did not receive a response before the publication of the press release.
For additional information and screen shots, please visit our blog on this vulnerability: https://www.LMGsecurity.com/lmg-researcher-uncovers-3-new-critical-zero-days-cu-solutions-group-vulnerabilities-impact-all-cusg-cms-users/
Emily Gosney Bio
Emily Gosney is a distinguished Cybersecurity Consultant at LMG Security with 20+ years of IT experience, more than half of which she has dedicated to Information Security, specializing in penetration testing and vulnerability research. Prior to working for LMG Security, she was the COO of the password-cracking firm Terahash and has also held positions at Synack, KoreLogic, and NCC Group. Emily is an active member of the security community, serving as a DEFCON SOC Goon for the past 10 years and additionally helping to run Security B-Sides Las Vegas and HushCon Seattle. She is also a member of the Team Hashcat competitive password cracking team.