Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Karros Technologies Authentication Bypass

Critical

Synopsis

Researchers within Tenable have discovered security-related issues regarding the email verification process used by Karrostech’s hosted services. Karrostech (aka Karros Technologies) is a fleet management provider for student transportation systems and services.

 

While reviewing issues discovered in Edulog (https://tenable.com/security/research/tra-2023-41), Tenable researchers discovered a bypass to the email verification process in place that allowed access to portions of Karrostech’s infrastructure. This bypass ultimately allowed researchers to access potentially sensitive information and access internal administrative dashboards. The information revealed includes, but is not limited to, data regarding students (most of whom are minors) and their schools, GPS information, Karrostech internal information, and Karrostech customer information.

 

The KeyCloak instance hosted at https://accounts.karrostech.net/ was configured to allow self-registration on the Edulog realm and granted access to the account management portal by default. This portal allows users to change their usernames, emails, passwords, etc. It also allows users to view which applications are accessible via their Keycloak identity.

 

Application Access Page

Application Access Page

 

When a user changes their email address in this portal, their account is marked as unverified and requires them to re-verify before normal operation can continue. The researchers discovered that the version and configuration of this KeyCloak server did not revoke access tokens when an account became unverified, which allowed users to continue changing their email address as long as they had a valid session before becoming unverified. Additionally, previously generated verification links were also not revoked.

 

By manipulating their registered email address and verification links, the researchers were able to obtain a verified account for email addresses they do not actually have access to, such as an @karrostech.net address.

 

This allowed access to other resources where restrictions were based on the registered email domain (@karrostech.net). This allowed access to Karrostech’s logging and monitoring utilities, which contain information regarding sensitive datastores and administrative dashboards.

 

Signed in as admin@karrostech.net

Signed in as [email protected]

 

Access to an Administrative Dashboard

Access to an Administrative Dashboard

Solution

Karrostech has implemented fixes for the issues reported. As these are cloud-based services, no action is necessary for end users.

Disclosure Timeline

December 12, 2023 - Tenable attempts to obtain a security contact from Karrostech.
December 18, 2023 - Tenable makes second attempt to obtain a security contact from Karrostech.
January 17, 2024 - Tenable inquires about alternative contact via mutual connection (Edulog).
January 17, 2024 - Karrostech acknowledges.
January 22, 2024 - Tenable creates new thread for disclosure with Karrostech contact and requests acknowledgement that we may disclose to them. Karrostech acknowledges.
January 23, 2024 - Tenable discloses issues to Karrostech.
January 26, 2024 - Karrostech acknowledges.
February 21, 2024 - Tenable requests status update.
March 6, 2024 - Tenable requests status update.
April 2, 2024 - Tenable requests status update and provides reminder of disclosure date.
April 15, 2024 - Karrostech requests information regarding disclosure process and advisory preview.
April 16, 2024 - Karrostech requests information regarding disclosure process and advisory preview.
April 17, 2024 - Tenable provides advisory draft and requests further information.
April 18, 2024 - Karrostech provides draft of their advisory.
April 18, 2024 - Karrostech customer (Edulog) publicly discloses issue ahead of coordinated disclosure date.
April 19, 2024 - Tenable releases advisory and requests clarification regarding Karrostech statements in their advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-11
Affected Products:
Karrostech’s authentication infrastructure
Risk Factor:
Critical

Advisory Timeline

April 19, 2024 - Initial release.