===================================================================== CERT-Renater Note d'Information No. 2024/VULN110 _____________________________________________________________________ DATE : 12/03/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3 CMS versions prior to 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1. ===================================================================== https://typo3.org/security/advisory/typo3-core-sa-2024-001 https://typo3.org/security/advisory/typo3-core-sa-2024-002 https://typo3.org/security/advisory/typo3-core-sa-2024-003 https://typo3.org/security/advisory/typo3-core-sa-2024-004 https://typo3.org/security/advisory/typo3-core-sa-2024-005 https://typo3.org/security/advisory/typo3-core-sa-2024-006 _____________________________________________________________________ TYPO3-CORE-SA-2024-001: Path Traversal in TYPO3 File Abstraction Layer Storages Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to path traversal. Component Type: TYPO3 CMS Subcomponent: File Abstraction Layer (ext:core) Release Date: February 13, 2024 Vulnerability Type: Path Traversal Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C References: CVE-2023-30451, CWE-22 Problem Description Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in BE/lockRootPath was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Strong security defaults - Manual actions required see Important: #102800 changelog Assuming that a web project is located in the directory /var/www/example.org (the "project root path" for Composer-based projects) and the publicly accessible directory is located at /var/www/example.org/public (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories. To grant additional access to directories, they must be explicitly configured in the system settings of $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings. Example: $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ ‘/var/shared/documents/’, ‘/var/shared/images/’, ]; Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context. Credits Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2024-002: Code Execution in TYPO3 Install Tool Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to code execution. Component Type: TYPO3 CMS Subcomponent: Install Tool (ext:install) Release Date: February 13, 2024 Vulnerability Type: Code Execution Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C References: CVE-2024-22188, CWE-94 Problem Description Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. The corresponding change for this advisory involves enforcing the known disadvantages described in TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Credits Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2024-003: Information Disclosure of Hashed Passwords in TYPO3 Backend Forms Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Form Engine (ext:backend) Release Date: February 13, 2024 Vulnerability Type: Information Disclosure Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C References: CVE-2024-25118, CWE-200 Problem Description Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account having access to password input fields. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Credits Thanks to the TYPO3 framework merger Christian Kuhn and external security researchers Maximilian Beckmann, Klaus-Günther Schmidt who reported this issue, and TYPO3 security team member Oliver Hader who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2024-004: Information Disclosure of Encryption Key in TYPO3 Install Tool Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Install Tool (ext:install) Release Date: February 13, 2024 Vulnerability Type: Information Disclosure Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C References: CVE-2024-25119, CWE-200 Problem Description The plaintext value of $GLOBALS['SYS']['encryptionKey'] was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Credits Thanks to TYPO3 core & security team member Benjamin Franzke who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2024-005: Improper Access Control of Resources Referenced by t3:// URI Scheme Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Link Handler (ext:core, ext:backend, ext:filelist) Release Date: February 13, 2024 Vulnerability Type: Information Disclosure Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C References: CVE-2024-25120, CWE-200, CWE-284 Problem Description The TYPO3-specific t3:// URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. _____________________________________________________________________ TYPO3-CORE-SA-2024-006: Improper Access Control Persisting File Abstraction Layer Entities via Data Handler Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to information disclosure. Component Type: TYPO3 CMS Subcomponent: Data Handler (ext:core) Release Date: February 13, 2024 Vulnerability Type: Information Disclosure Affected Versions: 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, 13.0.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C References: CVE-2024-25121, CWE-200, CWE-284 Problem Description Entities of the File Abstraction Layer (FAL) could be persisted directly via DataHandler. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. Strong security defaults - Manual actions required When persisting entities of the File Abstraction Layer directly via DataHandler, sys_file entities are now denied by default, and sys_file_reference & sys_file_metadata entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using $dataHandler->isImporting = true;. Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security-related code changes are tagged so you can easily look them up in our review system. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================