Full Report
Mendix Runtime contains a capture-replay flaw which could have an impact to apps built with the platform, if certain preconditions are met that depend on the app’s model and access control design. This could allow authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of the vulnerable app. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Privilege Escalation Flaw in Mendix Runtime (Capture-Replay)
## CVE Details
- CVE ID: CVE-2023-45794
- CVSS Score: 6.8 (Medium)
- CWE: CWE-294: Authentication Bypass by Capture-replay
## Affected Systems
- Products: Mendix Applications using Mendix Runtime (Mendix 7, Mendix 8, Mendix 9, Mendix 10)
- Versions:
- Mendix 7: All versions < V7.23.37
- Mendix 8: All versions < V8.18.27
- Mendix 9: All versions < V9.24.10
- Mendix 10: All versions < V10.4.0
- Configurations: Preconditions depend on the application's model and access control design. Primarily impacts authenticated users executing actions against the vulnerable application logic.
## Vulnerability Description
The Mendix Runtime contains a capture-replay vulnerability. If exploited, this flaw allows an authenticated attacker to successfully replay captured authorization requests. Depending on the specific app design and access controls implemented by the developer, this could result in the attacker accessing or modifying objects for which they lack authorization, or achieving privilege escalation within the context of the vulnerable application.
## Exploitation
- Status: Not explicitly stated if exploited in the wild, but the CVSS vector includes 'E:P' (Proof-of-concept/Exploit code) suggesting readiness or availability of exploit mechanisms.
- Complexity: High (CVSS:AC:H) - Exploitation requires attacker knowledge of application internals necessary to craft the replay sequence.
- Attack Vector: Network (CVSS:AV:N)
## Impact
- Confidentiality: High (CVSS:C:H) - Potential for unauthorized access to sensitive data.
- Integrity: High (CVSS:I:H) - Potential for unauthorized modification of data or system state.
- Availability: None (CVSS:A:N)
## Remediation
### Patches
- Mendix 7: Update to **V7.23.37 or later version** and redeploy the application.
- Mendix 8: Update to **V8.18.27 or later version** and redeploy the application.
- Mendix 9: Update to **V9.24.10 or later version** and redeploy the application.
- Mendix 10: Update to **V10.4.0 or later version** and redeploy the application.
### Workarounds
- Follow general security recommendations provided by Siemens, which include protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security.
- Review and ensure robust access control design within the application model, as the vulnerability depends on app-specific preconditions.
## Detection
- Detection methods were not specified in detail. Users should monitor application logs and network traffic for unusual sequences of authenticated requests that might indicate replay activity, tailored to the application's expected user behavior patterns.
- Indicators of Compromise may include unexpected data modifications (`I:H` impact) or unauthorized object access (`C:H` impact) logged against standard user accounts.
## References
- Vendor Advisory: [https://cert-portal.siemens.com/productcert/html/ssa-084182.html](https://cert-portal.siemens.com/productcert/html/ssa-084182.html)
- Mendix Release Notes:
- [https://docs.mendix.com/releasenotes/studio-pro/7/](https://docs.mendix.com/releasenotes/studio-pro/7/)
- [https://docs.mendix.com/releasenotes/studio-pro/8/](https://docs.mendix.com/releasenotes/studio-pro/8/)
- [https://docs.mendix.com/releasenotes/studio-pro/9/](https://docs.mendix.com/releasenotes/studio-pro/9/)
- [https://docs.mendix.com/releasenotes/studio-pro/10/](https://docs.mendix.com/releasenotes/studio-pro/10/)
- General Security Guidelines: [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)