Inova Partner 5.0.5-RELEASE, Build 0510-0906, and earlier (on-premise installation) allows authenticated users authorization bypass via insecure direct object reference ------------------------------------------------- ID: KPMG-2018-001 Vendor: Inova Software Software Name: Inova Partner Vendor URL: https://www.inova-software.com Vulnerable/tested versions: Inova Partner 5.0.5-RELEASE, Build 0510-0906, and earlier (on-premise installation) Author: Sascha Eilers (KPMG) Vulnerability status: Not fixed Risk Level: Medium CVSS Score: 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Product Details --------------- Inova Partner is a CRM solution dedicated to biotech, pharma and other life science companies. It allows to centralize opportunity and project information, including information on the asset, company, project description, status, discussions, on-going activities, next steps, important emails and documents, reviews and more. An integrated document management system enables users to store, share, and manage CDA and due diligence documents. Furthermore, the application offers eased collaboration via its review features on associated documents for internal an external partners. Inova Partner is designed to allow for data access based on the assigned privilege levels to provided information, functionalities and modules. Vulnerability Details --------------------- Description: The application is prone to insecure direct object reference and does not properly check authorization to access available objects. An authenticated user having read-only privileges for accessible modules can, under certain conditions, enumerate valid objects and disclose further information with respect to the corresponding object. Read-write users can make use of this approach as well. Assigned authorization within the associated object did not prevent the vulnerability. Objects marked as restricted are excluded from this issue. Vulnerability Type: Bypass authorization/Information disclosure Prerequisites: For read-only users, the URL to the individual object overview page must be known and access to the corresponding module must be given. Read-write users must have access to the corresponding module and can obtain the required URL by creating new objects. Authentication required: Authentication is required. Risk/Impact: Insufficient authorization verification enables an attacker to access identified objects by enumeration. Malicious users can bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Proof of Concept ---------------- As an example, the following URL was known to the read-only user (Module Pitches, individual Pitch overview page): https://example.com/inova-partner/ctx/auth/JADA3BBBC77834CF144AD60100F1FD739.do?asset3Oid=Asset3Impl.16493.Tenant-1&22C7D11E648B7EDF=A89255C7B4842AAFDDFA4FCE47804B59 By iterating the given 5-digit integer in the value for parameter "asset3Oid=Asset3Impl.16493.Tenant-1", we were able to identify further valid objects previously unknown or not accessible. Additionally, this approach can be used to circumvent any, presumably pre-filtered listings of accessible objects for available modules. Information collected via this flaw can be used to exploit a further vulnerability allowing data manipulation (KPMG-2018-002). Based on the application setup and limited module access during our analysis, we could not undoubtedly confirm this issue for assets, contacts, organizations, events tracker and in-licensing/acquisitions. However, we suspect those and other modules to be affected as well. Solution -------- Not available Timeline -------- Vulnerability discovered: 2018-05-11 Vendor notified: 2018-07-18 Vendor fix provided: N/A Publication date: 2018-11-05 Credits ------- This security vulnerability was found by Sascha Eilers of KPMG AG WPG. E-Mail: seilers (at) kpmg.com Key fingerprint = aa 18 90 16 74 24 05 b2 8b 81 bc b6 2d c3 f1 2b e0 ac dd 47 (CVE) References ---------------- Vendor URL: https://www.inova-software.com KPMG AG WPG: https://home.kpmg.com/de/en/home.html KPMG Security Advisory KPMG-2018-001: https://www.kpmg.de/noindex/advisories/KPMG-2018-001.txt Disclaimer ---------- The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the KPMG AG WPG website. Copyright --------- Creative Commons - Attribution (by) - Version 3.0 http://creativecommons.org/licenses/by/3.0/deed.en