CVE-2022-39214: Critical Security Vulnerability in iTop IT Service Management Platform
The iTop IT Operations Portal is an open-source, web-based IT service management platform offering a comprehensive suite of tools, including a fully customizable CMDB, helpdesk system, and document management tool. As an ITIL-compliant solution, iTop is widely used across various industries. However, recent security vulnerabilities [1, 2] have been discovered, which could potentially put iTop installations at risk.
CVE-2022-39214: Authenticated User Account Takeover
With a CVSS score of 9.6, CVE-2022-39214 is a high-severity vulnerability that allows authenticated users to bypass security restrictions and take over arbitrary accounts in Combodo iTop. The vulnerability stems from improper authentication, where an attacker can exploit the issue by sending a specially-crafted request using the username parameter.
Impact:
An iTop user with login access can take over any account simply by knowing the target’s username.
Affected versions: 3.0.0, <3.0.2-1
Patches: Fixed in version 3.0.2-1
CVE-2022-39216: Weak Password Reset Token and Account Takeover
CVE-2022-39216 (CVSS score of 9.1) highlights a weakness in Combodo iTop’s password reset token generation schema. This vulnerability enables a remote attacker to take over arbitrary user accounts due to the lack of a randomness parameter in generating reset password tokens.
Impact:
The password reset token is generated without sufficient randomness, potentially leading to account takeovers.
Affected versions: >2.0.2
Patches: Fixed in versions 2.7.8 and 3.0.2-1
Securing Your iTop Installation
Given the severity of these vulnerabilities, it is crucial to act swiftly and secure your iTop installation. Follow these steps to patch the vulnerabilities:
- Update your iTop installation to one of the patched versions: 2.7.8 or 3.0.2-1. This update will address both CVE-2022-39214 and CVE-2022-39216 vulnerabilities.
- Perform a comprehensive security review of your iTop instance, checking for any signs of unauthorized access or suspicious activity.
- Educate your users about the importance of strong and unique passwords, as well as exercising caution when clicking on password reset links in emails.
