A US SKi and Snowboard Association’s misconfigured web server exposed the username and password of a source code management user, putting other USSA websites and data at risk. (UPDATED)
A misconfigured server located at services.dev.ussa.org listed web directory contents of the server. In one of the directories was a “swp”, or swap file, of a script called drupalinstall-v1.5.sh.swp. This type of file is normally created by a text editor such as Vim and acts like a flag to indicate the file is being edited, and can be left on a file system if the editor exited abnormally. The script contained a series of commands to install a website and contained credentials presumably to a Subversion instance located at https://it.ussa.org/svn/. Subversion is a software versioning and control system used by developers to manage their source code. The credentials were not tested to see if they were active.
4/4/2020 UPDATE: Since publication, USSA has indicated the credentials were not active at the time UtahCyberCheck discovered them. This significantly reduces the risk to the organization now and the following supposition would have only been possible in the past.
An attacker could easily harvest the credentials from the script and infiltrate it’s Subversion instance, giving them access to the organization’s source code. What could an attacker do with this access?
- Find additional vulnerabilities in code
- Discover more credentials allowing them to hack further in
- Added malicious code to projects
In addition the the exposed credentials, it is evident the author of the script chooses to ignore basic security by not checking for a valid certificate retrieving data from the Subversion repository. This makes it possible for an attacker to perform a man in the middle attack to steal credentials and manipulate retrieve data.
UtahCyberCheck initially reached out to USSA multiple times in in December 2019 and January 2020. After no response, I passed this information to the Utah Department of Public Safety who successfully made contact with those responsible for the website. As of February 15, 2020 the credentials were removed and the server’s web directory contents were no longer listed.
4/4/2020 UPDATE: Since publication, USSA reached out to me to comment. They identified this as “an old link, and the credentials are inactive.” They also “immediately corrected the situation.” Their actions are consistent with the timeline I observed when the open directory was hidden and the swap file removed shortly after reporting the issue to the Utah Department of Public Safety. As mentioned in the update paragraph earlier, because the credentials were inactive at the time UtahCyberCheck discovered them, this significantly reduces the risk to the organization now.
It is not the first time USSA has ignored reports of security issues. Announced in a previous post, the UtahCyberCheck project found and reported multiple serious security issues with USSA websites. However, the organization did not acknowledge or respond to any of the reports except for fixing the above. Future posts will detail these other security problems.
4/20/2020 UPDATE: After a dialogue with USSA, it became clear USSA did not received most UtahCyberCheck reports. This contributed to confusion and miscommunication. Since this time, USSA has been responsive and are able to quickly address issues brought to their attention as future blog posts will detail.
Read more about the UtahCyberCheck project on its announcement page.
Update 4/1/2020 Updated Featured Image.
Update 4/4/2020 Updated to reflect information and comments from USSA.
Update 4/20/2020 Updated to indicate miscommunication.