Lansweeper fixes four bugs in the IT asset management platform
Researchers have discovered multiple vulnerabilities in the Lansweeper IT asset management platform that could allow an attacker to inject malicious code onto a targeted device.
The four vulnerabilities affect version 126.96.36.199 of the Lansweeper platform. Lansweeper is widely used in enterprises for asset discovery, management and security management. Cisco Talos researchers discovered the flaws and reported them to Lansweeper, which released an update to address them on February 21.
Each of the vulnerabilities resides in an individual .aspx file and an attacker could send a malicious HTTP request to a vulnerable device to inject malicious code. Three of the vulnerabilities are SQL injection bugs, while the other is a cross-site scripting vulnerability.
“The HTTP request may trigger an error which potentially allows the attacker to inject SQL code. An adversary must be authenticated and have appropriate permissions to exploit these vulnerabilities,” the Talos advisory states.
“Users are encouraged to update these affected products as soon as possible: Users are encouraged to update these affected products as soon as possible: Lansweeper version 188.8.131.52. Talos has tested and confirmed that this release is affected by these vulnerabilities. Lansweeper 9.2.0 includes fixes for these issues.
“An attacker controlling the parameter value and name is able to set new values for table fields such as loginmessage and loginfootertext. There is an attempt to sanitize the two fields mentioned in line 240 before they are updated with a value of parameter value == text4. Unfortunately, this check is not correct, and we can simply bypass it by setting, for example, the value of name == text5 to, for example, Loginmessage or loginmessage. This way, none of the characters we use will be removed from line 153,” the notice reads.
“At the same time, we are bypassing the text5 == loginmessage check. As a result, we can insert controlled data into the database without any sanitization. To trigger this vulnerability, an attacker must be authenticated and have the necessary permissions to modify loginlayout fields. The injected code will be automatically triggered each time a user visits the lansweeper login page.
Customers should upgrade to Lansweeper 9.2.0 as soon as possible to protect against attacks against these flaws.