Dovestones Software AD Self Password Reset (CVE-2015-8267)

Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts.

The vendor has been working with customers to upgrade them to a fixed version.


The /Reset/ChangePass function doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.

The PasswordReset.Controllers.ResetController.ChangePasswordIndex() method in PasswordReset.dll fails to properly validate the user, and performs the password reset on arbitrary accounts.

Sample:

Successful response:


VU#757840 – Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users

CVE: CVE-2015-8267

KEYWORDS:
dovestones
access control

OVERVIEW

Dovestones Software AD Self Password Reset fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts.

DESCRIPTION

CWE-284: Improper Access Control – CVE-2015-8267

Dovestones Software AD Self Password Reset contains a vulnerable method PasswordReset.Controllers.ResetController.ChangePasswordIndex() in PasswordReset.dll that fails to validate the requesting user. An attacker can reset passwords for arbitrary accounts by manipulating web application requests that call the vulnerable method.

IMPACT

A remote, unauthenticated attacker can reset passwords for arbitrary accounts where usernames are known or can be guessed.

SOLUTION

Apply an update

The vendor has worked directly with customers to apply updates for this and other vulnerabilities. Users who have not received an update are encouraged to contact the vendor.

REFERENCES

http://www.dovestones.com/active-directory-password-reset/
https://cwe.mitre.org/data/definitions/284.html

CREDIT

Thanks to Adam Caudill for reporting this vulnerability.

This document was written by Joel Land.


Special thanks to Dovestones for their quick response, and US CERT for their help in coordinating disclosure.