LabKey Vulnerabilities Threaten Medical Research Data

LabKey Server version 18.3.0-61806.763, released on January 16, patches all three issues, so users should update as soon as possible.

A trio of vulnerabilities in a popular open source medical data collaboration tool leaves important healthcare research data and potentially subject information open to multiple cross site scripting (XSS) attacks. The flaws are serious as they allow an attacker to retrieve user credentials once a user clicks a malicious link.

Tenable Research on Thursday said that the flaws, which exist in LabKey Server Community Edition 18.2-60106.64, allow a remote unauthenticated attacker to run arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.

“The attacker could perform any action that their target could perform on the LabKey system since they would be using the victim’s credentials,” Jacob Baines, senior research engineer at Tenable, told Threatpost. “This could potentially mean accessing or manipulating research data, depending on the targeted user’s access.”

LabKey Server is a software suite available for scientists to integrate, analyze and share biomedical research data. The platform acts as a data repository that allows web-based querying, reporting and collaborating across a range of data sources. As far as the scope of the attack surface, according to its website, public health organizations, medical research centers, and universities around the globe use LabKey solutions.

“Based on a Shodan search, there are some internet-facing LabKey servers, which expands the available attack surface,” Baines said. The server has a very distinctive Set-Cookie header that contains X-LAB-CSRF.”

The first vulnerability, CVE-2019-3911, is an XSS flaw stemming from query functions not being validated or sanitized properly.

“Because this parameter is reflected in the output to the user and interpreted by the browser, a cross site scripting attack becomes possible,” the firm explained in an advisory, posted on Thursday. “This allows an attacker to run arbitrary code within the context of the user’s browser. The XSS attacks are possible either authenticated or unauthenticated due to extra ‘__r#’ paths that are available in a default installation.”

A second flaw, CVE-2019-3912, allows open redirects because the returnUrl function is also unsanitized in a way that allows certain return paths to be edited. An attacker can this use these to redirect users to a location controlled by the attacker themselves.

And finally, CVE-2019-3913 is a logic flaw in LabKey Server’s network drive mapping functionality. To exploit it, an attacker would need administrative access to LabKey Server’s web interface.

“When mapping a network drive from command line, a lack of sanitation in the mount() function would allow an attacker to mount their own malicious drives to the server,” according to the advisory.

Baines told that the more severe vulnerabilities, CVE-2019-3911 and CVE-2019-3912, are the two flaws that would generally be used in an attack. A malicious actor would exploit both CVE-2019-3911 and CVE-2019-3912 by providing a malicious link to an unsuspecting user.

“An example attack scenario for CVE-2019-3912 would be for a bad actor to set up a fake login page,” he explained. “The attacker would then send an unsuspecting user a malicious link to a LabKey login page. When the user logs in to the real LabKey server, they would be forwarded to the fake page the attacker set up. The user, confused, inputs their credentials again and has now been compromised.”

Meanwhile, an example attack for CVE-2019-3911 would be for the attacker to create a malicious link, which would have extra Javascript that the attacker has inserted and the victim’s browser will execute.

“If a logged-in LabKey user clicks the attacker’s link, then the Javascript can send the user’s cookies to the attacker — giving them access to the user’s sessionID,” Baines said.

LabKey Server version 18.3.0-61806.763, released on January 16, patches all three issues, so users should update as soon as possible.

Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Suggested articles