Karros Technologies Authentication Bypass
CriticalSynopsis
Researchers within Tenable have discovered security-related issues regarding the email verification process used by Karrostech’s hosted services. Karrostech (aka Karros Technologies) is a fleet management provider for student transportation systems and services.
While reviewing issues discovered in Edulog (https://tenable.com/security/research/tra-2023-41), Tenable researchers discovered a bypass to the email verification process in place that allowed access to portions of Karrostech’s infrastructure. This bypass ultimately allowed researchers to access potentially sensitive information and access internal administrative dashboards. The information revealed includes, but is not limited to, data regarding students (most of whom are minors) and their schools, GPS information, Karrostech internal information, and Karrostech customer information.
The KeyCloak instance hosted at https://accounts.karrostech.net/ was configured to allow self-registration on the Edulog realm and granted access to the account management portal by default. This portal allows users to change their usernames, emails, passwords, etc. It also allows users to view which applications are accessible via their Keycloak identity.
Application Access Page
When a user changes their email address in this portal, their account is marked as unverified and requires them to re-verify before normal operation can continue. The researchers discovered that the version and configuration of this KeyCloak server did not revoke access tokens when an account became unverified, which allowed users to continue changing their email address as long as they had a valid session before becoming unverified. Additionally, previously generated verification links were also not revoked.
By manipulating their registered email address and verification links, the researchers were able to obtain a verified account for email addresses they do not actually have access to, such as an @karrostech.net address.
This allowed access to other resources where restrictions were based on the registered email domain (@karrostech.net). This allowed access to Karrostech’s logging and monitoring utilities, which contain information regarding sensitive datastores and administrative dashboards.
Signed in as [email protected]
Access to an Administrative Dashboard
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Karrostech’s authentication infrastructure
Critical