Cequence discovers critical vulnerability in IT infrastructure of large food and drug retailer
Cequence Security announced that its CQ Prime Threat Research Team has identified a critical vulnerability within one of the largest food and drug retailers’ IT infrastructure affecting four subdomains. These subdomains inadvertently exposed the actuator endpoint, enabling unauthorized users to access and extract sensitive data, such as root passwords from heap dumps, which offer a snapshot of active objects and potentially sensitive information.
The vulnerability carries a CVSS score of 9.8, signifying the highest possible severity and potential for widespread breaches, underscoring the urgency and importance of its remediation. It was discovered on May 9, 2024, and has since been patched by the retailer’s team with assistance from Cequence.
Exposed Endpoint Provides Backdoor to AppDynamics
The exposed heap dump endpoint included the admin username and password to AppDynamics, a business observability platform that helps organizations monitor and manage the performance of their applications and IT operations. This access allowed attackers to extract memory snapshots directly from the server. These snapshots can be analyzed using tools like Visual VM to reveal confidential information, which could then be leveraged to gain unauthorized administrative access to the AppDynamics portal.
With such admin access, malicious actors could:
- Add and delete employee login access
- Monitor traffic across all applications, including in-store and online retail activity
- Create policies to view or exfiltrate sensitive account information, increasing the risk of data breaches
- Introduce policies that hinder normal operations, disable security measures, or create backdoors for future attacks
- Obtain valid access tokens without proper authorization, allowing them to impersonate legitimate API clients
“The implications of this exposure are substantial,” said Parth Shukla, Security Engineer at Cequence. “An attacker with access to AppDynamics could potentially monitor all of the retailer’s applications, gaining insights into online orders, customer behavior, and even in-store point-of-sales data. This could expose vast amounts of sensitive information and leave the entire operational landscape vulnerable to scrutiny and manipulation.”
Offensive Research Powered by API Spyder
The CQ Prime Threat Research team detected the vulnerability using red teaming efforts and API Spyder, Cequence’s SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.
“It's our mission to make the world a safer place. That’s why, in addition to defensive research for our customers, we also conduct offensive research to actively seek out vulnerabilities before malicious actors do,” said Randolph Barr, CISO at Cequence. “Our CQ Prime Threat Research Team constantly simulates real-world attacks to uncover and neutralize potential threats. This proactive approach ensures we stay one step ahead, safeguarding our clients and their data.”
Once discovered, a bad actor could potentially allow unauthorized access to administrative functions. This weakness meant that an attacker could bypass the need for a compromised login ID and password, instead gaining the ability to create, update, delete, and modify system operations through their own access credentials.
Additional Resources: