2020-11 Security update

How Can We Help?

2020-11 Security update

Created On
Last Updated On
Print
← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures in our Security Center.

Summary

Labforward released two security updates for our website domains.

  1. Prevention of UI redressing – website can no longer be embedded in an iframe by a third party.
  2. Disabled website functionality for pingbacks and trackbacks which could be exploited for DDOS attacks.

Note: this security update does not impact our software products (Labfolder, Laboperator), neither Cloud nor On-Premise versions, as our product already handled such vulnerability types correctly.

Acknowledgement: we would like to sincerely thank Bilal Abdul Muqeet for reporting these issues. Your support in making our websites more secure is highly appreciated!

Classification of Severity and Exploitability

UI Redressing

Severity = What is the worst theoretical outcome?

Rating Description
Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Exploitation Unlikely Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower.

DDOS Attack

Severity = What is the worst theoretical outcome?

Rating Description
Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Specifically, not being able to access our website does not affect our users ability to use our services.

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Exploitation Less Likely Labforward analysis has shown that while exploit code could be created, an attacker would likely have difficulty creating the code, requiring expertise and/or sophisticated timing, and/or varied results when targeting the affected product. Moreover, Labforward has not recently observed a trend of this type of vulnerability being actively exploited in the wild. This makes it a less attractive target for attackers.

General Recommendations

  • No action required from our customers and users.
Tags: