A few weeks ago, BSSI performed a penetration test that included ESRI's ArcGIS product in the customer's scope.
ArcGIS is a comprehensive mapping, analytics, and collaboration solution that puts geographic intelligence to work for everyone. For example, it is made possible to quickly and easily create maps, manage and analyze geographic data, collaborate and share work with all employees and customers. The intuitive analytics tools available help users gain insight into their data, providing useful context to the data by linking it to Esri's demographics and lifestyle.
There are two architecture platforms for the ArcGIS solution:
- ArcGIS Online: With deployment in SaaS mode, the "Software As A Service" solution offers high product availability by removing all IT infrastructure management
- ArcGIS Enterprise: ArcGIS Enterprise is based on an On-premises mode deployment. This solution implements ArcGIS software in a customer's IT infrastructure allowing better control and management of the product
The audit conducted by the auditors took place in a black box mode. This step allowed the application to be tested, without any prior information, as an attacker present on the Internet would do.
A stored XSS, unlike a reflected XSS, corresponds to an injection of code into the application which will be directly stored in the database. This means, that the injected code will automatically be executed when the page will load without any user interaction.
The tests carried out by the auditors made it possible to identify a parameter vulnerable to Cross-Site Scripting (XSS) injections. The injection has been identified in the "URL" field of the "Parameters" tab of a "Document Link" type element:
The URL field is vulnerable to XSS injections
The following URL field was used in order to execute a malicious payload:
"> <img src = x onerror = alert (document.domain)>
Since application session cookies are generated without the "Secure" and "HttpOnly" flags, it is possible to steal a user's session token without their knowledge by this means. This could allow a full account takeover of any user.
Check the video of the exploit on YouTube
Upon discovery of the vulnerability, the BSSI audit team contacted and reported the vulnerability to the affected product team within Esri. A patch has been made available from December 2020 (corresponding to version 10.9).
This vulnerability is now known as CVE 2021-3012.
11/03/2020 – Discovery of the vulnerability
12/18/2020 – First contact with the Cyber-Security team of Esri
01/04/2021 – Report of the vulnerability
12/10/2020 – The vulnerability is fixed using the 10.9 patch
03/23/2021 – Vulnerability disclosure (patch + 90 days)