TYPO3-PSA-2020-001: Critical vulnerability in legacy versions of TYPO3 CMS

Categories: Development
It has been discovered that TYPO3 CMS is susceptible to sensitive information disclosure in previous TYPO3 versions which are not maintained by the community anymore.

TYPO3-EXT-SA-2020-014 addresses the same vulnerability - the functionality has been extracted back then during TYPO3 v7 development to extension mediace.

Problem Description

It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.

  • TYPO3-CORE-SA-2020-007, CVE-2020-15099: Potential Privilege Escalation
    • the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network)
    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.5, high)
  • TYPO3-CORE-SA-2016-013, CVE-2016-5091: Insecure Deserialization & Remote Code Execution
    • an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1, critical)

The overall severity of this vulnerability is critical (9.1) based on mentioned attack chains and the fact it does not require any privileges.

Due to the seriousness and ease of exploitation of this vulnerability and the still widespread use of TYPO3 6.2, we have decided to make this update available to all TYPO3 6.2 users, not just TYPO3 ELTS 6.2 customers.

Solution

Update to TYPO3 version 6.2.52 ELTS.

Outdated TYPO3 projects that are not covered by the ELTS release stream have to apply a patch file manually.

cd typo3_src
wget typo3.azureedge.net/typo3patches/typo3-psa-2020-001-6-2.patch
shasum -a 256 typo3-psa-2020-001-6-2.patch
# please verify SHA256 checksum as shown above

patch -p1 < typo3-psa-2020-001-6-2.patch
rm typo3-psa-2020-001-6-2.patch

 

Credits

Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue.
Thanks to TYPO3 GmbH team member Andreas Fernandez for providing the back-port to TYPO3 6.2.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.