Tenable Research security researchers have discovered several flaws in LabKey Server Community Edition 18.2-60106.64 that hackers could exploit to steal user login credentials, access healthcare data, and run arbitrary code via the Labkey browser.
LabKey Server is an open source tool for collaboration that enables scientists to collaborate, assess, and share biomedical research information. The platform does serve as a safe and secure data repository, but three vulnerabilities have been found that could be exploited to bypass security controls.
Reflected XSS – CVE-2019-3911
Several flaws were identified in all LabKey Server Community Edition versions prior to v 18.3.0 related to validation and sanitization of query functions, particularly, the query.sort parameter. This parameter is shown in output to the user and is translated by the browser, which could be exploited in across site scripting attack. An attacker who exploits the vulnerabilities could execute arbitrary code through the browser.
Open Redirects – CVE-2019-3912
Open redirects through the returnURL are present across LabKey Server, which may be altered to redirect users to an website controlled by the attacker.
Network Drive Mapping Logic Flaw – CVE-2019-3913
Incorrect sanitization of provided values in the mount function permits a user to alter arguments in the ‘net use’ command when mapping network drives. Tenable Research has published a proof of concept exploit which permits a user to give any valid drive letter that will cause the application to end the connection, even if the rest of the mapping command is incorrect. Exploitation of this vulnerability could allow mapping of a malicious drive to the server. Administrator access to the web interface is required to exploit this flaw.
Tenable Research reported the vulnerabilities to LabKey and patches were issued on January 16, 2019 to correct the flaws. All users need to update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible to prevent the flaws from being exploited.