Professional Documents
Culture Documents
Undocumented authentication
bypass issue in AEM Package
Manager [Blog updated]
June 28, 2021
Note: This blog post has been updated to include a response from Adobe for accuracy
on July 9, 2021.
We do not have any evidence of public exploitation in the wild that would justify the
classification of this issue as a “0-day” vulnerability in Adobe Experience Manager
(AEM).
For clarification, this issue does not impact AEM Cloud Service customers and only
potentially impacts AEM on-premise or AEM as a Managed Service if default security
configurations are removed.
As a result, this does not require a CVE from Adobe because AEM has the necessary
security controls enabled by default to help protect customers. This out-of-the-box
protection is available on supported versions of AEM.
Adobe recommends AEM customers review access controls for the CRX package
manager path: /etc/packages .
This bug allows attackers to bypass authentication and gain access to Package Manager
if the security controls for out-of-box protection are manually removed. Packages
enable the importing and exporting of repository content, and the Package Manager
can be used for configuring, building, downloading, installing and deleting packages
on local AEM installations. This issue allows an unauthorized user to view and
download packages.
When a Crowdsource member reports a 0-day, Detectify’s research team works with vendors for
responsible disclosure within 45-days of reporting. Learn more about how Detectify handles this
process.
This bug occurs when default security controls are manually turned off on the Package
Manager content tree, by default /etc/packages .
The Package Manager is accessed by bypassing dispatcher filter rules. The component
responsible for this issue used to be exploited before with one special character. This
one uses a new approach by exploiting it with a lot of special characters combined.
Normal request:
Apply bypass to list the packages the user session has access to:
Mitigation
03/25/2021 – Detectify informs Adobe about the undocumented issue. The specific
installations that were found to be vulnerable were quickly remediated by switching
the default security controls back on.
05/06/2021 – The test module for this security issue goes live for all Detectify
customers.
The vendor then has 45 days to fix the issue before Detectify releases the security
module that will be tested against customers’ web applications. If the vendor fixes the
security vulnerability within these 45 days, Detectify releases the security test as soon
as possible after the fix. Learn more about how Detectify handles this process.
You can follow the guidance provided by Adobe in this blog to verify your AEM
installation. Get certainty whether you’re vulnerable to this issue, or any other known
security issues used to exploit AEM by checking your web apps with Detectify.
Inside Detectify:
Detectify is a crowd-based web vulnerability scanner that goes beyond version and
signature-testing. The testbed is payload-based and checks for actively exploited web
vulnerabilities like Prototype Pollution, OWASP Top 10, undocumented vulns, CORS
misconfigurations and more.
Curious to see what Detectify will find in your web apps? Sign up for a 2-week free
trial today.
Into ethical hacking and want to join Crowdsource? Learn more on how you can earn
recurring rewards while making the Internet safer with Detectify Crowdsource.
LOG IN WITH
OR SIGN UP WITH DISQUS ?
Name
Related posts