Ardent Security Advisory
Ardent Security regularly identifies zero-day vulnerabilities and exploits in various products. We believe in responsible disclosure.
#####################################################################################
#
# Ardent Security Advisory
# Original Disclosure: https://www.ardent-security.com/advisory/ASA-2021-04/ASA-2021-04_CVE-2021-29396.txt
#
#####################################################################################
#
# Product:Â Â Â Â Â Â Â Â Â NorthStar Club Management 6.3
# Vendor:Â Â Â Â Â Â Â Â Â Â Northstar Technologies Inc
# URL:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â https://www.globalnorthstar.com/
# ASA ID:Â Â Â Â Â Â Â Â Â Â Â ASA-2021-04
# CVE ID:Â Â Â Â Â Â Â Â Â Â Â CVE-2021-29396
#CWE ID: Â Â Â Â Â Â Â Â Â Â Â CWE-287 – Improper Authentication
# Subject:Â Â Â Â Â Â Â Â Â Authentication Bypass via Systemic Lack of Proper Authentication
# Severity: Â Â Â Â Â Â Â Â High
# Author:Â Â Â Â Â Â Â Â Â Â Â Alexandre LaRocque, CEO <[email protected]>
# Date:Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2022-01-27
#
#####################################################################################
Description:
The NorthStar Club Management 6.3 has a systemic lack of proper authentication. It fails to protect many high-privilege functionalities that do not require user authentication to be accessed. This vulnerability was identified by Ardent Security experts while performing penetration testing in Toronto, Canada.
The following list is only a small subset of many more pages and resources that are not protected by authentication by the NorthStar application and that can be accessed by an attacker without authentication (no credentials needed):
- /Common/NorthFileManager/fileManager.jsp
- /filemanager/download.jsp
- /Common/NorthFileManager/fileManagerObjects.jsp
- /Admin/monitor/CommandExecution/comoutput.jsp
- /UserFiles/*anyfile*
 Technical Description:
Due to the dominant market share of the product, no proof-of-concept code is provided.
Affected version(s):
Only NorthStar Club Management 6.3 was tested. Older versions could be vulnerable.
Workaround / Fix:
It is unknown if this vulnerability has been fixed by the vendor.
Vulnerability Severity:
CVSS v3.1 Metrics [2]:
– CVSS Base Score: 10 (High)
– CVSS Vector: AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Timeline:
2021-03-18: Vulnerability discovery
2021-03-27: Contacted vendor about the vulnerability
2021-03-27: Vendor was given a 90-days period
2021-06-27: Vendor was given an additional 90-days period
2021-09-27: Vendor was given an additional 90-days period
2022-01-26: Public disclosure
Reference:
[1] https://www.ardent-security.com/advisory/ASA-2021-04
[2] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H&version=3.1