Security

Security Bulletins

Sec19-01 CVE-2019-3465
12/04/19 XML Signature Validation Bypass Priority: 1 Severity: Important Exploitability: 2 (Less Likely)

WorkBoard has learned of an important signature validation bypass vulnerability in the SimpleSAML package used for Security Assertion Markup Language (SAML) handler in WorkBoard.  Successful exploitation could result in unauthorized access to WorkBoard accounts.

The SimpleSAML package performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

Solution: WorkBoard implemented an upgrade to the SimpleSAML package. The upgrade was deployed within 24 hours (December 5 at 1pm PST).

Priority, Severity & Exploitability

The WorkBoard Priority Rating System is a guideline to help our customers in managed environments prioritize WorkBoard security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.

The definitions of the priority ratings are:

Rating Definition

Priority 1

This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. WorkBoard recommends administrators install the update as soon as possible. (for example, within 72 hours).

Priority 2

This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, WorkBoard recommends administrators install the update soon (for example, within 30 days).

Priority 3

This update resolves vulnerabilities in a product that has historically not been a target for attackers. WorkBoard recommends administrators install the update at their discretion.

The WorkBoard Severity Rating System is a guideline to help our customers assess the security impact of known software vulnerabilities.

The definitions of the severity ratings are:

Rating Definition

Critical

A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

Important

A vulnerability, which, if exploited would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.

Moderate

A vulnerability that is limited to a significant degree by factors such as default configuration, auditing, or is difficult to exploit.

WorkBoard developed the Exploitability Index in response to customer requests for additional information to further evaluate risk.

In those scenarios where multiple products are affected, for instance a vulnerability that affects both the WorkBoard Android app and iPhone app, the "latest software release" rating reflects the highest risk level across both products. In this case, if the Exploitability Assessment on the latest version of the Android app is "1," and on the latest version of the iPhone app is "2," the rating will reflect "1."

In both cases, the Exploitability Index uses one of four values to communicate to customers the likelihood of a vulnerability being exploited, based on the vulnerabilities addressed by the WorkBoard security update.

Exploitability index assessment Short definition

0

Exploitation Detected
WorkBoard is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with the highest priority.

1

Exploitation More Likely *
WorkBoard analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, WorkBoard is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security update and determined its applicability within their environment should treat this with a higher priority.

2

Exploitation Less Likely **
WorkBoard analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, WorkBoard has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers. That said, customers who reviewed the security update and determined its applicability within their environment should still treat this as a material update. If they are prioritizing against other highly exploitable vulnerabilities, they could rank this lower in their deployment priority.

3

Exploitation Unlikely ***
WorkBoard analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, WorkBoard has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.