API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

We usually think about APIs as IoT, connected cars, medical devices, mobile apps backends, Single Page Applications, or B2B integrations. But what if all of these technologies are vulnerable simultaneously?

Your security camera hack means private video stealing. Your car hack means not only tracking or hijack but also a random acceleration and stops. Your medical device hack means wrong injections, overdose, and wrong medications. Your website hack means almost nothing in a compare with all the previous things ?? Enjoy this API security newsletter!

Fresenius Kabi Agilia Connect Infusion System multiple vulnerabilities.

There is a bunch of issues including hard-coded credentials, weak SSL, custom crypto, but only one simple thing related to API security - directory listing ??????

Vigilant API has the option for automated indexing (directory listing) activated. When accessing a directory, a web server delivers its entire content in HTML form. If an index file does not exist and directory listing is enabled, all content of the directory will be displayed, allowing an attacker to identify and access files on the server.

Source: https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01

Tesla API hack

This one is just a crime drama. If you think it's only about that 3rd party API of an official app TeslaMate, you have to read a full story (this is their patch, by the way).

No spoilers, just read an original: https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028.

That 19-years old Bavarian hacker did a great job! And a special thanks to an author for the recommendations chapter. Please read it carefully to understand what's actually inside that EV car API:

1. Add multiple scopes to the API! People are going to use it anyways make it secure for them. Just?add multiple scopes?like: Read-Only Scope (for third-party software that only needs to collect data), Non-Critical Scope (seat heater, etc), Critical Scope (unlocking doors, keyless driving, etc).
2. Require the password for the Keyless Driving API endpoint again (I have no idea why this additional auth step was removed).
3. Revoke API tokens when the Tesla account password is reset! (Alternatively implement an easy way to revoke API keys manually)
4. Since Tesla API tokens are basically car keys, but can be generated easily, copied and used multiple times in multiple places, Tesla should/could implement an easy way to keep inventory of & track Tesla API tokens.

Reolink Cameras multiple API vulnerabilities. CVE-2021-40413, CVE-2021-40414, CVE-2021-40415, and CVE-2021-40416

Great job from the Cisco security team. Francesco Benvenuto just nailed it. Firmware deep-dive and decompiling identified four CVE issues, and the most interesting is API authentication bypass by a logic issue.

The?cgi_check_ability?checks, given the requested?API_command, if the user permission satisfies the API permission. If so the API is executed. If the API requested is not within the switch cases, then the default case, at?[2], is performed. The check of the permission is performed at?[3]?using a logical?AND?operator between the user permission and the required command permission. It means that, if the permission guaranteed to the user is?7, like for the default case at?[2], all the APIs with a permission value are allowed.

The other interesting one is basically a verb tampering issue caused by unchecked GET-based API calls (CVE-2021-40416).

Source: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1425

XSS Vulnerability in API\ResponseTrait in CodeIgniter4

If you don't know CodeIgniter, you have never seen PHP. Good for you! But some other people are using the Personal Home Page engine to code online banks, e-commerce, fintech, and SaaS projects.

One API route, one bug. Simple XSS.

Source: https://github.com/advisories/GHSA-7528-7jg5-6g62

Apache ShenYu /plugin API endpoint auth bypass

An official advisory says the following:

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Yes, sometimes that scary API security just means missed authentication on one or many endpoints. That simple.

Source: https://github.com/advisories/GHSA-6v39-p2xq-g5c3

I hope you enjoyed this week. See you next Saturday! Please subscribe and share this newsletter!