TB077 XSS Vulnerability on the Masking Engine
Alert Type
Security
Impact
FIPS 199 Severity Level: Critical
CVSS Score: 9.0 based on
Attack Vector (AV): N
Attack Complexity (AC): L
Privileges Required (PR): L
User Interaction (UI): R
Scope (S): C
Confidentiality (C): H
Integrity (I): H
Availability (A): H
An attacker that can both authenticate as a masking engine user and is authorized to modify the following objects could inject active code onto the below Masking Engine GUI’s pages:
-
File and database inventory
-
Import copybook using FTP/SFTP/Mount servers
-
Algorithms
-
Custom Algorithms
-
Environments
-
Define Fields (Fixed width and Delimited File Inventory)
-
Import/Upload File UI across application
-
Error report on Monitor Page
-
Export Inventory
When a user views these pages, malicious code will execute with the permissions of the user viewing the page and therefore can perform any actions allowed by the user’s role (e.g., create a new Masking user, edit a Masking connector, et cetera).
Contributing Factors
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.2.0, 6.0.2.1 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.0.0, 5.2.1.0, 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2
Symptoms
These attacks may be detected by reviewing the following for any code fragments (e.g., HTML <script> tags, JavaScript code, et cetera):
-
Inventory details can be exported into a CSV file and imported back after modifying the required details like algorithms for multiple fields/columns in a single step. Any column name or field name can contain the code (e.g., HTML <script> tags, JavaScript code, etc.) in the modified inventory CSV file which can result in attack while importing.
-
Any copybook name using GET /mainframe-dataset-connectors/{mainframeDatasetConnectorId}/fetch API in case a copybook needs to be imported using FTP/SFTP/Mount connection mode.
-
Below algorithm properties using GET /algorithms API :
-
Custom Algorithm
-
mappletInput
-
mappletOutput
-
-
Free Text Redaction Algorithm
-
lookupRedactionValue
-
profileSetRedactionValue
-
-
Any field name using GET /file-field-metadata API.
-
Any fileName using GET /file-metadata. Note this field may normally contain a filePattern, for example, “./*.txt”. A file pattern uses the regular expression syntax defined by the Java Pattern class. The syntax is documented here. This can be detected in audit logs as well.
-
Any column name using GET /column-metadata API.
-
Any table metadata like “keyColumn” using GET /table-metadata API.
-
Date format attached to the field with date algorithms using GET /file-field-metadata and GET /mainframe-dataset-field-metadata APIs.
Example
Suppose an item above contains a script tag. When a Masking user accesses this script in the GUI, this script will execute with that user’s permissions. For example, if the script contained logic to add admin user privileges to a non-admin account, and the script was run by an admin, an admin user could be tricked into adding admin user privileges to a non-admin account..
Relief/Workaround
-
At the network layer, IP address allowlisting may be used to limit Delphix appliance access to only approved users.
-
Customers are strongly recommended to upgrade to 6.0.3.0 or later.
Resolution
This issue is fully resolved in the 6.0.3.0 release.
Additional Information
N/A