Could the same vulnerability happen after 3 years ? Is this acceptable ? Are companies learning from our reports or are they just blindly fixing the issue without fixing the root cause and applying proactive measures to prevent them from happenning again ?
If you are still reading this I guess you already know the answer to those questions.
Playing with George
Back when I was working in Pentest Partners in 2020 I found a typical user add to organization issue on Grand Stream cloud as you can see in here caused by an IDOR. Fast forward to 2023. I was trying to explain to George, my 7 year old son what an IDOR is and what's the difference between authentication and authorization (yes I know too young for that, but he has a legacy to keep!) when I reused the same request :
POST /app/user/save HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
I could add any network id on the networkIds array and it would instantly make me an admin on that network. Imagine my suprise when this request worked again!
Back in 2020 it was mostly a data leak and a potential GDPR violation on this as you could leak ssh and WIFI psk of a lot of networks but you still needed physical proximity to get access to said networks.
This is no longer the case though. GWN new devices have VPN capabilities and router capabilities and as you can guess all of them are managed from GWN.cloud. This means that (under certain circumstances) you can access remote networks by connecting to their VPN server and having direct access to the remote network! (and all that with a simple IDOR).
We (me and my son) notified grandstream with a ticket on 30th of January 2023. Their response was :
Thank you for reporting this to us.
Please note that the case has been reported internally in order to be fixed. We will inform you once there is an update.
I chased again after 15 days and then after 45 days (today) my tickets was closed. After checking with grandstream they said:
Please note that the fix for this issue is included in the latest GWN Cloud version 220.127.116.11. Thanks.
So it was fixed but they neglected to inform me for it , which is ok as I guess.
How could this happen ?
The same vulnerability happenning after 3 years on the exact same product is in my humble opinion unacceptable as it means that you learn nothing from the previous vulnerability.
I believe that bugs and vulnerabilities are bound to happen and will happen to every system. Its how you react to them and the lessons you learned from them that distinct a great from a not so great company.
Grandstream answered and fixed the vulnerability in a timely manner, but I can safely assume that the next time a developer touches that code he might remove the authorization check and there will be no automated test catching that or any penetration testing done on the application.It is essential to conduct regular security testing and assessments, implement adequate security measures, and maintain vigilance to prevent vulnerabilities from persisting or resurfucing in any application.Considering that this is a company that sells networks equipment and firewalls this is not a great sign.
I could explain the release and maintenace cycle of software to my son and how to properly do it. As this was cloud as always no CVE was assigned.