Multiple Vulnerabilities in dnaLIMS Disclosed After Vendor Failed to Engage with Security Researchers
Multiple vulnerabilities exist in dnaLIMS, a web based laboratory information management system that provides scientists and researches with tools for processing and managing DNA sequencing requests. dnaLIMS, developed and sold by dnaTools, is used by academia, business and government; and is found in many US universities. The vulnerabilities are described as critical.
They were discovered in Q4 2016 by boutique security firm Shorebreak Security, and were reported to the vendor on Nov. 6. Shorebreak had been commissioned by a hospital user of dnaLIMS to perform a blackbox penetration test of the product. Users of dnaLIMS should note that at the time of writing this, the vulnerabilities have not been patched and are publicly known. For now, users should restrict access to authorized hosts only and make sure that the product cannot be accessed from the public internet; although in university environments that will still leave potential access to many thousands of students and academic researchers.
Shorebreak attempted to follow ‘responsible disclosure’ guidelines and reported seven serious vulnerabilities privately to the vendor. After four months of trying to engage with the vendor, it publicly disclosed the vulnerabilities in an advisory published this week. “Researchers cannot keep quiet about vulnerabilities indefinitely,” Shorebreak CEO Mark Wolfgang told SecurityWeek. “If we can find these problems, so can hackers — and dnaLIMS users need to be aware of the issues.”
The vulnerabilities include an improperly protected web shell, unauthenticated directory traversal, insecure password storage, session hijacking, multiple cross-site scripting, and improperly protected content.
“An unauthenticated attacker,” warns the advisory, “has the ability to execute system commands in the context of the web server process, hijack active user sessions, retrieve system files (including the plaintext password file), and inject untrusted html or JavaScript into the dnaLIMS application. An attacker could use these vulnerabilities together in order to gain control of the application as well as the operating system hosting the dnaLIMS software. If this software is being hosted publicly or in a DMZ this could act as a pivot point to launch further attacks or move laterally into trusted network(s).”
Wolfgang described his frustrations in trying to engage with the vendor. When he asked dnaTools for a PGP key to deliver the details securely, he was told to print them out and send hard copy through the post. “I got the feeling,” Wolfgang told SecurityWeek, “they thought or hoped we wouldn’t bother.” But he did. He did so on Nov. 16, 2016, using USPS Certified Mail. But it wasn’t until Dec. 8 that dnaTools acknowledged receipt and suggested that users place the application behind a firewall.
When he asked the vendor if it had a plan to address the vulnerabilities, he received the reply, “Yes, we have a plan. Please gather a DNA sequence, PO Number, or Fund Number and go to your local grocery store and see what it will buy you.” The vendor clearly believes that the vulnerabilities cannot lead to meaningful data loss.
SecurityWeek emailed dnaTools requesting its point of view, but received no reply.
Earlier this week, Zenofex of exploiteers disclosed a series of vulnerabilities in Western Digital’s My Cloud range of storage devices. Zenofex went straight to full public disclosure because, he told SecurityWeek, he had no confidence “in regards to [the] manufacturer’s ability to properly triage and fix vulnerabilities in their code.”
With dnaTools, Shorebreak Security attempted to follow responsible disclosure guidelines — indeed, it exceeded those guidelines by giving the vendor four months to fix the product. But in the end, the result was the same in both cases: full public disclosure with no immediate fix from the vendor.