Whats Bugging the NSA? A Vuln in Its SkillTree Training Platform

  /     /     /  
Publicated : 23/11/2024   Category : security


Whats Bugging the NSA? A Vuln in Its SkillTree Training Platform


Even the NSA leaves bugs in its software. In this case, its the kind of cross-site issue that regularly slips past developers.



The National Security Agency (NSA) has patched a cross-site request forgery (CSRF) vulnerability in its open source employee training platform known as SkillTree, showcasing how difficult this class of bug is to catch prior to production release.
SkillTree is an online education platform
with gamified elements, like points and achievements, when learning goals are reached. It was designed in-house by the NSA and released to GitHub in 2020.
According to an agency press release
, its stated goal is to improve how users across the agency interacted with in-house complex applications, and streamline and modernize software development and DevOps best practices at the agency.
On June 12, researchers from Contrast discovered and reported a
CSRF issue affecting the platform
. It has since been labeled CVE-2024-39326, and assigned a medium 4.4 CVSS score.
In a CSRF attack, hackers use authenticated users as conduits to send malicious requests to a targeted website or app. In this particular case, thanks to some vulnerable content types used by multiple SkillTree endpoints, a hacker who tricked an admin-level user into clicking a malicious link could have manipulated the videos, captions, and texts related to their online lessons. Doing so would have required prior knowledge of the targeted SkillTree skill and project name, and such an attack would not have exposed any further user data or systems.
The NSA implemented a fix for this issue in a July 2 patch, which users should deploy to avoid website manipulation.
Too often,
CSRF vulnerabilities
are neglected and dont get fixed before code is released into production, Contrast wrote in its report on CVE-2024-39326. Developers and Application Security (AppSec) teams focus on more advanced attacks that could lead to sensitive data exposure; as a result, CSRF vulnerabilities wind up not being remediated, leaving malicious actors opportunities for successful execution.
Theres more to it than just neglect, though. CSRF issues arent so easily spotted in the first place.
One major reason is that they dont interrupt the normal functioning of an app. And unlike bugs that exist entirely in an apps code, CSRF tends to stem from design issues in authentication and sessions.
SQL injection is something that would be very well known to developers, because for it to occur, the developer has to send data to a database, and so the developers doing something consciously, explains Contrast researcher Joseph Beeton. Unlike SQL injection, CSRF is almost outside of application. Its in the browser.
And, he adds, There are lots of types of requests that arent vulnerable to CSRF. The SkillTree application had dozens, maybe hundreds of endpoints, and only a couple were vulnerable.
Luckily, modern browsers use
restrictions and policies
to protect sites from themselves. Theres
SameSite cookies
— to shield cookies from cross-site requests — and strict cross-origin resource sharing (CORS) policies to defend against unauthorized cross-origin requests and more, blurring the line of responsibility between application and browser.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Whats Bugging the NSA? A Vuln in Its SkillTree Training Platform