2024: Security Advisory: Device registration susceptible to compromise

Summary

It has been identified that under specific situations; the registration process of uniFLOW Online apps can be compromised when email login is enabled on the tenant.

Advisory release date

Jun 10, 2024

Product

uniFLOW Online

CVE

CVE-2024-1621

Summary of Vulnerability

As of this advisory the vulnerability can no longer be actively exploited having been addressed in the April 2024 release.

While the vulnerability has been addressed it is theoretically possible users could have had apps registered against their account by a malicious actor. This would provide the malicious user with similar access and capabilities via the app to that of the affected user.

The issue is only impacting customers that are utilising Email Login in combination with Microsoft Safe Links or similar. Safe Links is a security module within the Microsoft ATP Advanced Threat Protection (now Microsoft Defender or Office 365) or a similar hyperlink analysis solution.

Affected uniFLOW Online apps

  • uniFLOW SmartClient: uniFLOW Online desktop application, Windows and Mac.

  • Mobile Application: uniFLOW Online Print and Scan app for iOS and Android application.

  • Chrome Extension: uniFLOW Online Chrome browser plugin.

Severity

Likelihood: Very Low

Impact: High

CVSS 3.1 Base Score

8.2

CVSS 3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVSS 4.0 Base Score

8.3

CVSS 4.0 Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

While the CVSS score is high the overall likelihood is considered low with no known indications of exploitation in the wild.

Affected Versions

Product

Affected versions

uniFLOW Online

  • Releases prior to and including 2024.1.0

    • 15th April 2024

  

Fixed Versions

Product

Fix versions

uniFLOW Online

Root Cause Fix

  • Release version: 2024.1.1

    • Released mid April 2024.

Re-registration Process

  • Included in release version: 2024.2.1

    • Release date Jul 1, 2024

    • Re-registration process week commencing Jul 8, 2024

What You Need to Do

To be 100% confident there are no unauthorised registration of malicious users the following remediation plan will be actioned.

  1. With the release of 2024.2.1 we will communicate to all tenant admins by email and via the uniFLOW Online notification widget. This communication will provide instructions to tenant admins on how to inform their users and provide steps to verify app connections or revoke any that are old or unknown.

  2. On the 1st of September NT-ware will force a revocation of any user's apps that have not been reviewed and verified in step 1.

    1. In this case users will need to re-register the app on their device as defined in the manual. The app will automatically prompt the user to register the next time it is started. Registration can be completed in under a minute and will be a minor disruption but a necessary validation that all apps are correctly registered.

Note: If your tenant admin does not receive an email and there is no notification within the uniFLOW Online notification widget then your tenant is not affected, and this security advisory can be disregarded.

Mitigation

This issue has already been addressed and is no longer exploitable from the above listed version 2024.1.1.

With privacy and security our highest concern NT-ware will not disclose the details of the exploit until after the September 1st.

Updated: Sep 11, 2024

Exploit details (Not seen in the wild).

When a user registered an end point for example their mobile device uniFLOW Online will send a confirmation email with a clickable link. This link prior to 2024.1.1 was not protected by a CAPTCHA mechanise. NT-ware discovered a possibility that advanced threat protection systems could click this link resulting in a verified connection that might not have been the intended user.

Proof of concept:

  • Malicious actor registers a device with the victim's email address. This is done on a weekend or night hoping the user is not watching their email.

  • Microsoft Defender (or similar services) with Safe Links detection inspects the emails and 'clicks' the link to check it is safe.

  • uniFLOW Online registers the click as confirmation and links the device to the victim’s account.

  • Later the user will still see the email but could ignore / delete it realising this was not them.

    • If they take no action the malicious actor is now linked to the victim’s account.

This was never seen in the field or reported as a detected exploit. This was identified during unrelated investigations and the link was made to this potential exploit.

 

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.