2024: Security Advisory: Device registration susceptible to compromise
Summary | It has been identified that under specific situations; the registration process of uniFLOW Online apps can be compromised when email login is enabled on the tenant. |
Advisory release date | Jun 10, 2024 |
Product | uniFLOW Online |
CVE | CVE-2024-1621 |
Summary of Vulnerability
As of this advisory the vulnerability can no longer be actively exploited having been addressed in the April 2024 release.
While the vulnerability has been addressed it is theoretically possible users could have had apps registered against their account by a malicious actor. This would provide the malicious user with similar access and capabilities via the app to that of the affected user.
The issue is only impacting customers that are utilising Email Login in combination with Microsoft Safe Links or similar. Safe Links is a security module within the Microsoft ATP Advanced Threat Protection (now Microsoft Defender or Office 365) or a similar hyperlink analysis solution.
Affected uniFLOW Online apps
uniFLOW SmartClient: uniFLOW Online desktop application, Windows and Mac.
Mobile Application: uniFLOW Online Print and Scan app for iOS and Android application.
Chrome Extension: uniFLOW Online Chrome browser plugin.
Severity
Likelihood: Very Low
Impact: High
CVSS 3.1 Base Score | 8.2 |
CVSS 3.1 Vector | |
CVSS 4.0 Base Score | 8.3 |
CVSS 4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N |
While the CVSS score is high the overall likelihood is considered low with no known indications of exploitation in the wild.
Affected Versions
Product | Affected versions |
uniFLOW Online |
|
Fixed Versions
Product | Fix versions |
uniFLOW Online | Root Cause Fix
Re-registration Process
|
What You Need to Do
To be 100% confident there are no unauthorised registration of malicious users the following remediation plan will be actioned.
With the release of 2024.2.1 we will communicate to all tenant admins by email and via the uniFLOW Online notification widget. This communication will provide instructions to tenant admins on how to inform their users and provide steps to verify app connections or revoke any that are old or unknown.
On the 1st of September NT-ware will force a revocation of any user's apps that have not been reviewed and verified in step 1.
In this case users will need to re-register the app on their device as defined in the manual. The app will automatically prompt the user to register the next time it is started. Registration can be completed in under a minute and will be a minor disruption but a necessary validation that all apps are correctly registered.
Note: If your tenant admin does not receive an email and there is no notification within the uniFLOW Online notification widget then your tenant is not affected, and this security advisory can be disregarded.
Mitigation
This issue has already been addressed and is no longer exploitable from the above listed version 2024.1.1.
With privacy and security our highest concern NT-ware will not disclose the details of the exploit until after the September 1st.
Updated: Sep 11, 2024
Exploit details (Not seen in the wild).
When a user registered an end point for example their mobile device uniFLOW Online will send a confirmation email with a clickable link. This link prior to 2024.1.1 was not protected by a CAPTCHA mechanise. NT-ware discovered a possibility that advanced threat protection systems could click this link resulting in a verified connection that might not have been the intended user.
Proof of concept:
Malicious actor registers a device with the victim's email address. This is done on a weekend or night hoping the user is not watching their email.
Microsoft Defender (or similar services) with Safe Links detection inspects the emails and 'clicks' the link to check it is safe.
uniFLOW Online registers the click as confirmation and links the device to the victim’s account.
Later the user will still see the email but could ignore / delete it realising this was not them.
If they take no action the malicious actor is now linked to the victim’s account.
This was never seen in the field or reported as a detected exploit. This was identified during unrelated investigations and the link was made to this potential exploit.
Support
If you have further questions, please contact your Canon / Canon Business Partner representative.