CVE-2022-44001

Vulnerability

The vulnerability resides in the BCServer CORBA back-end service of BACKCLICK Professional 5.9.63 (On-Premises). Session management relies on api_object objects obtained through the login method, which normally requires valid credentials. However, the relogin method bypasses the password check entirely, and the setupMandatorSwitch method disables the password check for the subsequent login call for a specified user ID. Additionally, object keys and CORBA IORs are insufficiently randomized, making them guessable [1].

Exploitation

An attacker with network access to the CORBA back-end service can call the relogin method to obtain a session object for any user without authentication. Alternatively, they can first call setupMandatorSwitch to disable the password check for a target user ID, then call login to gain a session. Guessing object keys or IORs provides another vector. No user interaction is required [1].

Impact

Successful exploitation allows the attacker to impersonate any user, gaining full access to application actions and data within that user's context. This can lead to unauthorized information disclosure, data manipulation, and privilege escalation, potentially compromising the entire application [1].

Mitigation

As of the public disclosure date (2022-11-14), the manufacturer had not released a fix, and the solution status remains unknown. No workarounds are documented. Users should monitor for updates from BACKCLICK GmbH. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [1].