Security specialists at Tenable Research have identified a number of flaws in LabKey Server Community Edition 18.2-60106.64 which could be targeted to obtain user credentials, access medical data, and run arbitrary code via the Labkey browser.
LabKey Server is an open source collaboration tool that enables scientists to integrate, analyze, and distribute biomedical research data. While the platform acts as a secure data repository, flaws have been identified that allow security controls to be bypassed.
CVE-2019-3911 – Reflected XSS
A number of flaws have been discovered in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is read by the browser, which allows access to a cross site scripting attack. If the flaws are targeted, a hacker could run arbitrary code within the context of the browser. Attacks are possible with the need for authentication.
CVE-2019-3912 – Open Redirects
Open redirects through returnURL have been seen throughout LabKey Server which could be targeted to redirect users to a location under the control of the hacker. __r paths are the easiest to manipulate.
CVE-2019-3913 – Network Drive Mapping Logic Vulnerability
Improper sanitization of supplied values in the mount function permits a user to use arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the flaws in a proof of concept exploit, which enables a user to supply any valid drive letter which will lead to the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be needed for this flaw to be exploited. This flaw could be manipulated to map a malicious drive to the server.
Tenable Research disclosed the weaknesses to LabKey and patches were developed to address the three flaws. Updates to amend each of the vulnerabilities were released on January 16, 2019.
To stop the weaknesses from being targeted, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as they can.