Three vulnerabilities in the CU Solutions Group (CUSG) content management system (CMS) could have been exploited by hackers in attacks aimed at credit unions, cybersecurity consulting firm LMG Security reports.
CUSG provides technology and services tailored to credit unions, including a CMS solution that automates content management and usage traffic without technical expertise.
According to LMG Security, CUSG CMS iterations prior to version 7.75 are impacted by three critical vulnerabilities that could allow an attacker to obtain ‘ultra admin’ privileges, thus gaining access to any credit union account that is not protected by multi-factor authentication (MFA).
The first issue, tracked as CVE-2023-48985, is described as a reflected cross-site scripting (XSS) bug in the admin portal login page that could allow an unauthenticated attacker to intercept login credentials.
The second flaw, also a reflected XSS defect, is tracked as CVE-2023-48986 and could allow an attacker with access to a low-privileged account to elevate their privileges and “perform unintended actions within the admin portal”.
The third vulnerability, tracked as CVE-2023-48987, is a blind SQL injection bug in the admin portal that could be exploited by an authenticated attacker to “gain full read/write access to the backend database”.
An attacker with low privileges could exploit the flaw to dump a table containing the usernames and hashed passwords for CUSG’s administrative accounts, including the password for the ‘ultra admin’ account, a vendor backdoor account that provides access to all CMS installations globally.
For each CMS customer, the table is populated upon installation and an attacker only needs to hack one CUSG customer’s CMS environment to access all other environments, LMG Security notes, adding that “the password hashes in this table are exceptionally easy to crack”.
According to LMG Security, an unauthenticated attacker could chain CVE-2023-48985 and CVE-2023-48987 to obtain login credentials to the CMS and then gain ‘ultra admin’ privileges, allowing them to compromise any organization not using MFA.
“Impacted organizations should immediately upgrade to the latest software version and enable multi-factor authentication to prevent malicious actors who possess the ‘ultra admin’ password from logging into their CUSG CMS application portal,” LMG Security consultant Emily Gosney notes.
LMG Security says it reported the vulnerabilities to CUSG in October 2023, and that fixes might have been included in CUSG CMS version 7.75.
CUSG says the vulnerabilities were resolved on October 28, two days after receiving LMG Security’s report, “without client impact or exposure”. The company is notifying 275 credit unions that rely on its CMS of these vulnerabilities.
Related: ESET Patches High-Severity Privilege Escalation Vulnerability
Related: Zoom Patches Critical Vulnerability in Windows Applications
Related: Ivanti Vulnerability Exploited to Deliver New ‘DSLog’ Backdoor
