Sunday, July 21, 2024

Security vulnerability in NSA training tool allowed unauthorized content modifications

Must Read

Founded by President Harry Truman in 1952, the US National Security Agency is supposed to provide security by gathering intelligence, but what happens when it overlooks its own security?

A new report from Contrast Security Inc. today details just that: a security vulnerability found in SkillTree, an open-source NSA training platform maintained on GitHub. The vulnerability exposed systems to cross-site request forgery attacks, allowing attackers to modify training content without proper authorization.

SkillTree was launched in 2020 and at the time was presented as an internally developed open-source solution to gamify user training. The vulnerability allowed attackers to target logged-in administrators and modify training content such as videos, captions, and text without proper authorization.

The vulnerability was discovered through Contrast Security’s AutoAssess project and was found to be due to a lack of CSRF protections in SkillTree, particularly on endpoints that handle state-changing operations. CSRF protections are security measures that ensure requests made to a web application are legitimate and originate from the authenticated user and are typically implemented using one-time tokens to prevent unauthorized state changes.

The vulnerability, tracked as CVE-2024-39326, was discovered on June 12 and rated as having a moderate severity. According to the report, it takes advantage of the absence of unique transaction tokens across multiple endpoints, leaving the platform susceptible to unauthorized state changes.

In one example, attackers can manipulate the “/admin/projects/{projectname}/skills/{skillname}/video” endpoint to alter training materials, compromising the integrity of the training content provided by SkillTree. The manipulation may include uploading unauthorized videos or changing subtitles and transcripts, which can lead to misinformation or disruption of the training process.

After identifying the vulnerability, Contrast Security informed the NSA maintainers, who subsequently released a patched version of SkillTree on July 2. The fix involved implementing Spring Security’s CSRF protection, which uses the CSRF Token pattern to prevent such attacks.

While the vulnerability can only be classified as medium severity, the failure of the US’s main international spy agency to get its security right highlights the growing risks associated with open source projects on platforms like GitHub.

However, Contrast founder and CTO Jeff Williams notes in the report that “there’s no point in throwing stones at the NSA for this” since “we all live in glass houses.”

“Healthy security means you will find vulnerabilities and fix them,” Williams says. “This isn’t the story of a mistake. It’s the story of doing it right – using great tools and fixing problems quickly.”

Image: Pixabay

Your vote of support is important to us and helps us keep the content FREE.

Clicking below supports our mission to provide free, in-depth, and relevant content.

Join our community on YouTube

Join the community that includes over 15,000 #CubeAlumni experts, including CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner for the industry. You guys are really a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy



Please enter your comment!
Please enter your name here

Latest News

Cavs announce contract extension with key player

The Cleveland Cavaliers entered the offseason with two main priorities: finding a new coach and securing Donovan Mitchell...

More Articles Like This