On February 17, White Oak Security researchers Michael Rand and Talis Ozols publicly reported that Extensis Portfolio has serious vulnerabilities, including an unpatched zero-day bug. This US-based company consists of a user-facing main content management application, a content hosting application, and an administrative portal.
In an independent penetration test, the cybersecurity researchers discovered an instance of the program, installed online, with default administrator credentials in use. After digging deeper into the security flaw, the duo noticed they could obtain remote code execution (RCE) through an unlimited file upload exploit.
This reported zero-day vulnerability was the first severe security issue uncovered by White Oak Security. After that, the pen testers reviewed the source code of Extensis Portfolio version 3.6.3 and discovered a total of five vulnerabilities that needed to be addressed right away:
- CVE-2022-24251
- CVE-2022-24255
- CVE-2022-24252
- CVE-2022-24254
- CVE-2022-24253
At the time of writing, CVE numbers had been allocated and were on ‘reserved’ status. It’s unclear whether any of these flaws are being exploited in the wild.
When it comes to vulnerability disclosure, several cybersecurity organizations provide suppliers with a 90-day timeframe to assess and patch vulnerabilities after they are identified. Details of the defects will then be made public, although with redactions, to encourage companies to repair security problems in their software as soon as possible. However, in White Oak Security’s situation, coordinated disclosure appears to have been challenging.
The researchers attempted to contact the vendor via online forms, sales channels, and social media for the whole month of August 2021, only to be promised a security contact who never arrived. The firm was told that Extensis could not be contacted “without an active contractual service agreement.” White Oak Security claimed it couldn’t reach the provider until September 29 — and then only through a client contact.
According to the researchers’ disclosure timeline, Extensis verified report receipt and advised the team to test Portfolio Server v.4.0.0 because some patches had been published after v.3.6.3. However, things grew murky after that. After asking for more information from the manufacturers on the changes, White Oak Security determined that the initial RCE vulnerability was still unpatched in v4.0.0.
As of February 17, the team of cybersecurity researchers confirms that Extensis “has not provided White Oak Security any indication that these vulnerabilities will be fixed.”