2024: Security Advisory: Device registration susceptible to compromise

Summary	It has been identified that under specific situations; the registration process of uniFLOW Online apps can be compromised when email login is enabled on the tenant.
Advisory release date	Jun 10, 2024
Product	uniFLOW Online
CVE	CVE-2024-1621

Summary of Vulnerability

As of this advisory the vulnerability can no longer be actively exploited having been addressed in the April 2024 release.

While the vulnerability has been addressed it is theoretically possible users could have had apps registered against their account by a malicious actor. This would provide the malicious user with similar access and capabilities via the app to that of the affected user.

The issue is only impacting customers that are utilising Email Login in combination with Microsoft Safe Links or similar. Safe Links is a security module within the Microsoft ATP Advanced Threat Protection (now Microsoft Defender or Office 365) or a similar hyperlink analysis solution.

Affected uniFLOW Online apps

uniFLOW SmartClient: uniFLOW Online desktop application, Windows and Mac.
Mobile Application: uniFLOW Online Print and Scan app for iOS and Android application.
Chrome Extension: uniFLOW Online Chrome browser plugin.

Severity

Likelihood: Very Low

Impact: High

CVSS 3.1 Base Score	8.2
CVSS 3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CVSS 4.0 Base Score	8.3
CVSS 4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

While the CVSS score is high the overall likelihood is considered low with no known indications of exploitation in the wild.

Affected Versions

Product	Affected versions
uniFLOW Online	Releases prior to and including 2024.1.0 15th April 2024

Fixed Versions

Product

Fix versions

uniFLOW Online

Root Cause Fix

Release version: 2024.1.1
- Released mid April 2024.

Re-registration Process

Included in release version: 2024.2.1
- Release date Jul 1, 2024
- Re-registration process week commencing Jul 8, 2024

What You Need to Do

To be 100% confident there are no unauthorised registration of malicious users the following remediation plan will be actioned.

With the release of 2024.2.1 we will communicate to all tenant admins by email and via the uniFLOW Online notification widget. This communication will provide instructions to tenant admins on how to inform their users and provide steps to verify app connections or revoke any that are old or unknown.
On the 1st of September NT-ware will force a revocation of any user's apps that have not been reviewed and verified in step 1.
1. In this case users will need to re-register the app on their device as defined in the manual. The app will automatically prompt the user to register the next time it is started. Registration can be completed in under a minute and will be a minor disruption but a necessary validation that all apps are correctly registered.

Note: If your tenant admin does not receive an email and there is no notification within the uniFLOW Online notification widget then your tenant is not affected, and this security advisory can be disregarded.

Mitigation

This issue has already been addressed and is no longer exploitable.

With privacy and security our highest concern NT-ware will not disclose the details of the exploit until after the September 1st.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.