2020-02 Security update

2020-02 Security update

← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures here.

Summary

Labforward released a security update for Labfolder. This release contains:
  1. Security enhancements that help prevent potential cross-site scripting (XSS) vulnerabilities.
  2. General updates to third party library components in response to automated security advisories.
  3. General updates to keep our cloud infrastructure on the latest versions.

Timeline of cross-scripting issue handling

  • January 16th 2020 – Issue was reported by a former employee of Labfolder.
  • January 17th 2020 – First patch released to the Cloud environment (Labfolder v1.28.14).
  • January 20-24th 2020
    • Further investigation to prevent related issues.
    • Analysis of audit trail and event logs does not show any activity attempting to exploit this vulnerability other than in test accounts.
    • Classification of Severity and Exploitability finalized.
  • January 28th 2020 – Additional security improvements have been released to the Cloud (Labfolder v1.28.16).
  • February 11th 2020 – Final release related to XSS issue released to Cloud (Labfolder v.1.29.0). Includes the new Well Plate Template feature as well as application performance improvements.
  • February 12th-24th 2020 – Monitoring period before public disclosure.
  • February 18th 2020 – Release of server update to on-premise customers.
  • February 25th 2020 – Publication of this Security Update and update to Labfolder’s release notes.

Severity = What is the worst theoretical outcome?

Issue Rating Description
Critical A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Labforward recommends that customers apply Critical updates immediately
Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Labforward recommends that customers apply Important updates at the earliest opportunity.
X Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. In this case, the impact of XSS vulnerabilities was significantly mitigated by the fact that a bad actor would only be able to share malicious code with members of their Labfolder group or sub-group. Labforward recommends that customers apply Moderate updates at the earliest opportunity.
Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Labforward recommends that customers evaluate whether to apply the security update to the affected systems.

Classification of Severity and Exploitability

Issue Rating Description
Exploitation Detected Labforward is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority.
Exploitation More Likely Labforward analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Labforward is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.
Exploitation Less Likely Labforward analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Labforward has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority.
X Exploitation Unlikely Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

General Recommendations

  • All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have an antivirus software in place to protect your devices and data.
  • IT admins of our on-premise customers should update their systems as quickly as practical, especially when a new release includes a security patch.
  • IT admins of our on-premise customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
  • While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Tags: