CVE-2023-29656

Vulnerability

The vulnerability is an improper authorization issue in the Darktrace Mobile App for Android, affecting Darktrace Threat Visualiser versions between 6.0.0 and 6.0.15 [1]. When a user account is disabled in the Threat Visualiser web console, the mobile app session does not automatically terminate, allowing the disabled user to retain access. This enables them to perform actions such as controlling "antigena" actions (block/unblock traffic) from the mobile app.

Exploitation

An attacker needs a valid user account that has been previously authorized on the mobile app. The attacker then requests that the account be disabled by a higher-privilege user (or the account becomes disabled for other reasons). After the account is disabled, the attacker can still log in to the mobile app using the same credentials and continue to access sensitive information and perform actions, including antigena actions that can block or unblock network traffic.

Impact

Successful exploitation allows a disabled or low-privilege user to control antigena actions, potentially blocking all ingress or egress traffic in the entire infrastructure where Darktrace agents are deployed, leading to a denial of service (shutdown). Additionally, the attacker can access sensitive information and perform other unauthorized actions within the app.

Mitigation

The vendor, Darktrace, resolved this issue in version 6.0.15 of the Darktrace Mobile App [1]. Users should update to version 6.0.15 or later. No workarounds are mentioned in the available references.