Pentest do not take disclosure of vulnerabilities which impact schools, teachers, children, and their parents lightly. That is especially true when there will be no patches to address them. Unfortunately, that is the case here. Making this disclosure timeline one of the longer ones.
Our tale began in late April 2020 at one of our “Hackathon” events. On that occasion, one team chose to focus on School management and e-Learning software. The Covid-19 pandemic was starting out and remote learning was being embraced rapidly. The team wanted to help ensure that this was being done securely. A brief search found Fedena as an open-source target and some time was scheduled to examine it.
Unfortunately, significant vulnerabilities were relatively easy to locate and exploit.
No patches will be created to address the vulnerabilities outlined above. This is because the open-source version of Fedena is no longer supported. Pentest’s number one recommendation is to migrate to a supported product as soon as possible. Migration is the ideal strategy.
The root cause of the two critical risk vulnerabilities is because the server-side secret is shared between all deployments. It is possible to reduce the risks by:
1. stopping the Fedena application server
2. altering the secret (using a securely generated random string); and
3. starting the server again.
Doing so will mitigate both the authentication bypass and RCE vulnerabilities. In effect that would reduce the threat profile to legitimate users of Fedena.
However, it is crucial to point out that all the other vulnerabilities would remain exploitable. It is just that they would only be exploitable by registered users. That reduces the threat profile but does not remove all risks.
If possible, protect vulnerable Fedena 2.3 installations using network segregation and/or VPN controls. Explicitly this means remove the application from the Internet and provide remote access to it over secure channels. This strategy would significantly reduce the risks.
Unfortunately doing this is complex and may cause usability issues for remote based students and parents. Schools are not in control of the availability of IT kit or knowledge at home and so a VPN would effectively exclude users which is not workable.
It is also possible to reduce the risk by configuring a web application firewall or other detection solution to recognise the highlighted risks. However, Pentest Ltd believe that this will also be an incomplete solution.
The following table lists our assessment of the applicability of this approach: