A zero-day vulnerability has been discovered in a popular content management solution used by high-profile companies including Deloitte, Dell and Microsoft.
The bug in Adobe Experience Manager (AEM) was detected by two members of Detectify’s ethical hacking community. If left unchecked, the weakness allows attackers to bypass authentication and gain access to CRX Package Manager, leaving applications open to remote code execution (RCE) attacks.
“With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application,” said a Detectify spokesperson.
The pair found that several large organizations were affected by the bug, including Mastercard, LinkedIn, PlayStation and McAfee.
The vulnerability occurs at CR package endpoints and can be remediated by blocking public access to the CRX consoles.
A Detectify spokesperson explained: “The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool.
“Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request.”
Security researcher Bao Bui is a former CTF player of the Meepwn CTF Team who started hunting bug bounties around a year ago. Security engineer and developer Ai Ho has been active on the bug bounty scene for two years, building his own bug-catching tools and sharing them on GitHub.
The zero-day flaw was reported to Adobe, who swiftly released a patch for it. The AEM CRX Bypass zero-day was then implemented as a security test module on Detectify’s platform.
“Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications,” said a Detectify spokesperson.
Detectify’s scans for more than 80 unique AEM vulnerabilities have generated over 160,000 hits in total so far.