Researchers have recently disclosed details about multiple security vulnerabilities in Extensis Portfolio software. These include a remote code execution flaw that posed a threat to the Extensis Portfolio server.
Extensis Portfolio RCE Vulnerabilities
Elaborating on the details in a blog post, White Oak Security explained how their researchers found them during an external penetration test.
Extensis Portfolio is a dedicated digital asset management platform that serves users with a helpful media sharing resource. Users, including different businesses or internal teams within the companies, can use this software to share images, videos, documents, and other media files with ease.
Specifically, White Oak Security found a zero-day vulnerability affecting the Extensis Portfolio server. As described, they found a software stance publicly deployed with default admin credentials. An adversary can exploit these credentials to execute various malicious activities as the credentials serve as a backdoor account with admin privileges.
Investigating the matter further made them reach an unrestricted file upload zero-day leading to remote code execution.
Following this discovery, the researchers performed a detailed analysis and found five different high-severity flaws affecting the platform. Briefly, these vulnerabilities affected Extensis Portfolio version 4.0 and 3.6.3. The bugs include,
- CVE-2022-24255: Hard-Coded Credentials in the Main and Admin Portals
- CVE-2022-24251: Authenticated Unrestricted File Upload in Main Portal
- CVE-2022-24252: Authenticated Unrestricted File Upload + Path Traversal in Main Portal
- CVE-2022-24254: Authenticated Archive Zip-Slip Path Traversal in Admin Portal
- CVE-2022-24253: Authenticated Unrestricted File Upload in Admin Portal
The first of these five bugs allow authentication bypass, whereas the remaining four lead to remote code execution upon an exploit.
No Patches Available Yet
After discovering the vulnerabilities, the researchers tried hard to contact the vendors and report the bugs. However, even after their efforts to contact the Extensis team and inform them of the flaws, the vendors didn’t patch the bug in time. According to the researchers,
Extensis acknowledges vulnerabilities and states that no timeline has been created for these issues, no security patch has been scheduled, and that the vulnerabilities have not been prioritized within their development queue.
Thus, the researchers decided to disclose the bugs publicly.