===================
Title: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services
Author: Joshua Mulliken <
joshua@mulliken.net
>
Thanks to: Carnegie Mellon University CERT Coordination Center
Date Found: Dec. 17, 2018
Vendor: Ellucian Company L.P.
Vendor Homepage:
https://www.ellucian.com
Products: Banner Web Tailor and Banner Enterprise Identity Services
Web Tailor Affected Versions: 8.8.3, 8.8.4, 8.9
Banner Enterprise Identity Services Affected Versions: 8.3, 8.3.1, 8.3.2, 8.4
CVE: CVE-2019-8978
===================
Table of Contents
=================
=-=-=-=-=-=-=-=-=
1 - Executive Summary
2 - Product
3 - Impact and Recommendations
a - Impact
b - Recommendations
4 - Technical Details
a - Technical Description
b - Exploit Code
5 - Disclosure Time-line
6 - References
=-=-=-=-=-=-=-=-=
1) Executive Summary
====================
An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s). The vendor has verified the vulnerability and produced a patch that is now available. For more information see the postings on Ellucian Communities: [LINK NOT PROVIDED BEFORE DEADLINE] and Banner Enterprise Identity Services: [LINK NOT PROVIDED BEFORE DEADLINE]. [1]
2) Product
==========
Banner Web Tailor is a web tool, made for higher education institutions, that provides registration, curriculum management, advising, administration, and reporting functionality. Students are able to access and change their registration, graduation, and financial aid information. Professors and teachers are able to input final grades and manage their courses. Administrators are able to access and change student and teacher information. It is used by hundreds of institutions, many of which have opted to use the Single Sign-on Manager in order to participate in CAS- and SAML-based single sign-on services. [2]
3) Impact and Recommendations
=============================
a) Impact
---------
A user's unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access. For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.
b) Recommendations
------------------
Organizations affected should update to the latest version. More information can be found in the postings on Ellucian Communities: [LINK NOT PROVIDED BEFORE DEADLINE] and Banner Enterprise Identity Services: [LINK NOT PROVIDED BEFORE DEADLINE]. Please utilize Ellucian Communities or contact Ellucian through ActionLine to get more information. Updates to this disclosure will be avaliable on GitHub:
https://github.com/JoshuaMulliken/CVE-2019-8978
4) Technical Details
====================
a) Technical Description
------------------------
The improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim. See proof of concept code located at the GitHub link below for more details.
b) Exploit Code
---------------
Exploit code will be made available later via Github:
https://github.com/JoshuaMulliken/CVE-2019-8978
5) Disclosure Time-line
=======================
December 18, 2018: Attempted reporting through Ellucian's marketing web-form and sent to
informationsecurityassessmentteam@ellucian.com
December 20, 2018: Submitted report to CERT Coordination Center at Carnegie Mellon University
January 2, 2019: Submitted report to a CISO at Ellucian who was discovered through LinkedIn
January 2, 2019: Requested information on responsible disclosure procedure from the University of South Carolina
January 3, 2019: Was told to report through ActionLine by Ellucian
January 4, 2019: Was told by the University of South Carolina that there is no procedure for reporting vulnerabilities
January 4, 2019: Told the University of South Carolina that I had discovered a vulnerability in Banner
February 18, 2019: CERT informed me of failure to reach the vendor and advised me to publicly disclose
February 25, 2019: Sent draft of advisory to Ellucian and set the date of disclosure to March 4th.
February 28, 2019: Ran demo of vulnerability for Ellucian over Zoom conference
March 1, 2019: Was asked by the University of South Carolina to delay publication
March 21, 2019: The University of South Carolina received a backported patch from Ellucian
March 26, 2019: Ellucian finalized patches for all versions
March 29, 2019: Was told by Ellucian that the University of South Carolina would be doing changes on the 1st of April
April 1, 2019: Requested information on patch status from the University of South Carolina
April 5, 2019: The University of South Carolina gave ETA of April 30, 2019
April 30, 2019: The University of South Carolina updated ETA to the middle of May
May 7, 2019: Set publication date of disclosure to May 13
May 10, 2019: The University of South Carolina posted a planned outage notice for all Banner Services scheduled for May 11
May 11, 2019: The University of South Carolina successfully installed the patch
May 13, 2019: Disclosure published
6) References
=============
[1]
https://cwe.mitre.org/data/definitions/287.html
[2]
https://www.ellucian.com/solutions/ellucian-banner-student