The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.

AppCheck Research identified multiple vulnerabilities within the Umbraco CMS that could be remotely exploited to persistently modify a sensitive configuration parameter used when generating URL’s that reference the Umbraco application. The attacker could exploit this to poison password reset URL’s and perform account take over attacks.

**Overview**

Within the Umbraco CMS, a configuration element named “_UmbracoApplicationUrl_”  (or just “_ApplicationUrl_”) is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site.

For Umbraco versions less than 9.2.0,  if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the “UmbracoApplicationUrl” is used (CVE-2022-22690).

For example, **the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.**

Note that if the hosting IIS server restricts the permitted host name value, this flaw is mitigated upstream by the IIS server.

**Analysis**

(Note that the affected variable is referred to using slightly different names depending on where it is used. In code, “ApplicationUrl” is typically used and therefore we will use this name from here on).

The ApplicationUrl (The Base URL for the Umbraco install) is implemented in a number of areas where a URL needs to be built such as Password Reset, User Invite, automated health check processes and others.

In cases where the administrator has not specifically configured an Application URL, Umbraco falls back to the following code to enumerate and then cache the URL for future use **by all users**:

**File:** **Umbraco.Web.Common\\Middleware\\UmbracoRequestMiddleware.cs**

public async Task InvokeAsync(HttpContext context, RequestDelegate next)
    //.. Truncated for brevity ..

    Uri currentApplicationUrl = GetApplicationUrlFromCurrentRequest(context.Request);
    \_hostingEnvironment.EnsureApplicationMainUrl(currentApplicationUrl);
    var pathAndQuery = context.Request.GetEncodedPathAndQuery();

The “**GetApplicationUrlFromCurrentRequest**” function call in the code above is responsible for enumerating the current URL based on the users’ inbound request. The code for this function is listed below, the key component from the attackers perspective is the “{request.Host}” variable, this is populated from _host_ header of the inbound HTTP request.

The attacker can manipulate the URL returned by the _GetApplicationUrlFromCurrentRequest_ function to point to his/her server by modifying the HTTP host header for any request to the Umbraco server.

private Uri GetApplicationUrlFromCurrentRequest(HttpRequest request){
    // We only consider GET and POST.
    // Especially the DEBUG sent when debugging the application is annoying because it uses http, even when the https is available.
    if (request.Method == "GET" || request.Method == "POST")
    {
         return new Uri($"{request.Scheme}://{request.Host}{request.PathBase}", UriKind.Absolute);
    }
         return null;
}

The attacker controlled URL value is then passed to the “_**EnsureApplicationMainUrl**_” function where it is cached via the “_**\_applicationUrls.TryAdd**_” function and used as the ApplicationUrl from that point onward (until the server is restarted).

Note that the Umbraco installation will save a new ApplicationUrl in cases where it hasn’t previously seen the supplied value. This means that when the attacker manipulates the ApplicationUrl, it will not be changed back when a subsequent benign request is received since the legitimate host value will have already been previously observed.

For completeness the _EnsureApplicationMainUrl function code is listed below:_

public void EnsureApplicationMainUrl(Uri currentApplicationUrl)
      {
          // Fixme: This causes problems with site swap on azure because azure pre-warms a site by calling into \`localhost\` and when it does that
          // it changes the URL to \`localhost:80\` which actually doesn't work for pinging itself, it only works internally in Azure. The ironic part
          // about this is that this is here specifically for the slot swap scenario https://issues.umbraco.org/issue/U4-10626

          // see U4-10626 - in some cases we want to reset the application url
          // (this is a simplified version of what was in 7.x)
          // note: should this be optional? is it expensive?

          if (currentApplicationUrl is null)
          {
              return;
          }

          if (\_webRoutingSettings.CurrentValue.UmbracoApplicationUrl is not null)
          {
              return;
          }

          var change = !\_applicationUrls.Contains(currentApplicationUrl);
          if (change)
          {
              if (\_applicationUrls.TryAdd(currentApplicationUrl))
              {
                  ApplicationMainUrl = currentApplicationUrl;
              }
          }
      }
  }

**Exploiting the Vulnerability**

To exploit this flaw the attacker needs to deliver a request to the Umbraco CMS with an “Host” header value set to point to the attackers server. This is possible when the Microsoft IIS Server bindings are not specifically configured to lock the server down to a specific hostname.

**Screenshot**: Leaving this field blank will serve the site for any hostname and allows the flaw to be exploited.

![](https://appcheck-ng.com/wp-content/uploads/site_bindings.png)

A quick test for this configuration is to access your site via its IP address rather than the hostname, if you see the site then bindings are configured to allow any hostname.

**Password Reset Poison**

When a user resets their password, a URL is created containing the password reset token that the user then clicks to configure a new password. This URL is built using the **ApplicationUrl** and can therefore be controlled by the attacker, the code below is called when the user resets their password, the “_Current.RuntimeState.ApplicationUrl_” variable contains the attacker controlled URL

**File:**  Umbraco.Web\\Editors\\AuthenticationController.cs (see lines 542 & 546 example code taken from Umbraco 8)

private string ConstructCallbackUrl(int userId, string code){
    //.. truncated for brevity..

    var applicationUri = Current.RuntimeState.ApplicationUrl;
    var callbackUri = new Uri(applicationUri, action); 
    return callbackUri.ToString();

A quick and easy was to exploit this flaw is to edit your local host file and add an alternative entry for the target site. On Windows, this can be found in ‘_c:\\windows\\system32\\drivers\\etc\\hosts_‘ (or /etc/hosts on Linux platforms). Add in the IP address along with the hostname that you want to set as the ApplicationUrl. For example, adding in the following entry will cause the ApplicationUrl to be set to https://appcheck-ng.com/ (assuming the target server has the IP address 192.168.0.70)

192.168.0.70        appcheck-ng.com

To complete the attack, access the server using the hostname configured in your hosts file, in this example https://appcheck-ng.com/ was used. Umbraco reports the new Application URL within the log as shown in the screenshot below:

![](https://appcheck-ng.com/wp-content/uploads/applicationurl.png)

To test that the attack has been successful in persistently modifying the ApplicationUrl, reset your password and observe the URL used in the password reset URL:

![](https://appcheck-ng.com/wp-content/uploads/passwordresetumbraco-1.png)

**Detection**

AppCheck has included detection for this flaw since June 2021, prior to this AppCheck was detecting this flaw as “Out-of-Band Service Interaction (HTTP)”.

**Solution**

**Partial Fix:**

A partial fix has been deployed in Umbraco version 9.2.0 by the vendor that includes the following improvements:

*   Password reset and user invites no longer use the cached ApplicationUrl. If no “UmbracoApplicationUrl” is configured, the value is enumerated again to use the hostname of the request invoking the password reset.
*   A health check process now warns the administrator that the UmbracoApplicationUrl is not configured and recommends they do so. Once set, none of the flaws described in this post are exploitable.

**Complete Fix:**

Whilst the above improves the situation and removes the most critical aspect of this vulnerability, there are still some areas that remain vulnerable, such as;

*   The password reset process could be invoked on behalf of the user with a malicious hostname set. The URL to reset the password is poisoned as before, however the user receives the email unexpectedly which would lower the likelihood of a successful attack (CVE-2022-22691).
*   Some components are not covered by the fix such as;  “Content Notifications, Healthcheck Notifications, and the Keep-Alive task”

A more comprehensive fix, available in all versions, is to specifically set the _UmbracoApplicationUrl_ within the Umbraco Configuration. See Umbraco Settings Docs

Alternatively, specifying a specific hostname within the IIS bindings will prevent this vulnerability from being exploited.

**Timeline**

**15/07/2021:** Reported to Umbraco & Detection added to AppCheck

**21/07/2021:** Umbraco confirms they can reproduce the issue

Discussions ongoing regarding the vulnerability and its pre-requisite configuration.

**06/12/2021:**  Chased for a resolution

**06/01/2022:** Patch released, however release notes did not state a security flaw had been resolved.

**13/01/2022:**  CVE’s Assigned: CVE-2022-22690 & CVE-2022-22691

**18/01/2022:** Advisory Published

In line with MIRE guidelines, two CVE’s were allocated. CVE-2022-22690 is used to track the vulnerability allowing the ApplicationUrl to be persistently overwritten. CVE-2022-22691 is used to track the ability to overwrite the password reset URL via the host header.

CVE-2022-22691: Umbraco ApplicationURL Overwrite & Persistent Password Reset Poison (CVE-2022-22690 & CVE-2022-22691)

Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link.

CVE-2021-41551

Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn’t make any changes to how connectors work. The report generation worked correctly on the first try. python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "January" --rewrite-flag "True" The […]

Microsoft Patch Tuesday January 2022

IBM Sterling Gentran:Server for Microsoft Windows 5.3 stores potentially sensitive information in log files that could be read by a local user.  IBM X-Force ID:  213962.

CVE-2021-39032: IBM X-Force Exchange

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.

_Estimated reading time: 8 minutes_

> **Update to the Docker Desktop terms**
> 
> Professional use of Docker Desktop in large organizations (more than 250 employees or more than $10 million in annual revenue) requires users to have a paid Docker subscription. While the effective date of these terms is August 31, 2021, there is a grace period until January 31, 2022 for those that require a paid subscription. For more information, see Docker Desktop License Agreement.

This page contains information about the new features, improvements, known issues, and bug fixes in Docker Desktop releases.

Take a look at the Docker Public Roadmap to see what’s coming next.

**Docker Desktop 4.3.2**

2021-12-21

> Download Docker Desktop
> 
> For Windows

**Upgrades**

docker scan v0.14.0

**Security**

**Log4j 2 CVE-2021-44228**: We have updated the `docker scan` CLI plugin. This new version of `docker scan` is able to detect Log4j 2 CVE-2021-44228 and Log4j 2 CVE-2021-45046

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

**Docker Desktop 4.3.1**

2021-12-11

> Download Docker Desktop
> 
> For Windows

**Upgrades**

docker scan v0.11.0

**Security**

**Log4j 2 CVE-2021-44228**: We have updated the `docker scan` CLI plugin for you. Older versions of `docker scan` in Docker Desktop 4.3.0 and earlier versions are not able to detect Log4j 2 CVE-2021-44228.

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

**Docker Desktop 4.3.0**

2021-12-02

> Download Docker Desktop
> 
> For Windows

**Upgrades**

*   Docker Engine v20.10.11
*   containerd v1.4.12
*   Buildx 0.7.1
*   Compose v2.2.1
*   Kubernetes 1.22.4
*   Docker Hub Tool v0.4.4
*   Go 1.17.3

**Bug fixes and minor changes**

*   Fixed an issue which prevented users from saving files from a volume using the Save As option in the Volumes UI. Fixes docker/for-win#12407.
*   Fixed an issue that caused Docker Desktop to fail during startup if the home directory path contains a character used in regular expressions. Fixes docker/for-win#12374.
*   Added a self-diagnose warning if the host lacks Internet connectivity.
*   Docker Desktop now uses cgroupv2. If you need to run `systemd` in a container then:
    *   Ensure your version of `systemd` supports cgroupv2. It must be at least `systemd` 247. Consider upgrading any `centos:7` images to `centos:8`.
    *   Containers running `systemd` need the following options: `--privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw`.

**Known issue**

Docker Dashboard incorrectly displays the container memory usage as zero on Hyper-V based machines. You can use the `docker stats` command on the command line as a workaround to view the actual memory usage. See docker/for-mac#6076.

**Deprecation**

*   The following internal DNS names are deprecated and will be removed from a future release: `docker-for-desktop`, `docker-desktop`, `docker.for.mac.host.internal`, `docker.for.mac.localhost`, `docker.for.mac.gateway.internal`. You must now use `host.docker.internal`, `vm.docker.internal`, and `gateway.docker.internal`.
*   Removed: Custom RBAC rules have been removed from Docker Desktop as it gives `cluster-admin` privileges to all Service Accounts. Fixes docker/for-mac/#4774.

**Docker Desktop 4.2.0**

2021-11-09

> Download Docker Desktop
> 
> For Windows

**New**

**Pause/Resume**: You can now pause your Docker Desktop session when you are not actively using it and save CPU resources on your machine. For more information, see Pause/Resume.

*   Ships Docker Public Roadmap#226

**Software Updates**: The option to turn off automatic check for updates is now available for users on all Docker subscriptions, including Docker Personal and Docker Pro. All update-related settings have been moved to the **Software Updates** section. For more information, see Software updates.

*   Ships Docker Public Roadmap#228

**Window management**: The Docker Dashboard window size and position persists when you close and reopen Docker Desktop.

**Upgrades**

*   Docker Engine v20.10.10
*   containerd v1.4.11
*   runc v1.0.2
*   Go 1.17.2
*   Compose v2.1.1
*   docker-scan 0.9.0

**Bug fixes and minor changes**

*   Improved: Self-diagnose now also checks for overlap between host IPs and `docker networks`.
*   Fixed the position of the indicator that displays the availability of an update on the Docker Dashboard.
*   Fixed Docker Desktop sometimes hanging when clicking Exit in the fatal error dialog.
*   Fixed an issue that frequently displayed the **Download update** popup when an update has been downloaded but hasn’t been applied yet docker/for-win#12188.
*   Fixed installing a new update killing the application before it has time to shut down.
*   Fixed: Installation of Docker Desktop now works even with group policies preventing users to start prerequisite services (e.g. LanmanServer) docker/for-win#12291.

**Docker Desktop 4.1.1**

2021-10-12

> Download Docker Desktop
> 
> For Windows

**Bug fixes and minor changes**

*   Fixed a regression in WSL 2 integrations for some distros (e.g. Arch or Alpine). Fixes docker/for-win#12229
*   Fixed update notification overlay sometimes getting out of sync between the Settings button and the Software update button in the Dashboard.

**Docker Desktop 4.1.0**

2021-09-30

> Download Docker Desktop
> 
> For Windows

**New**

*   **Software Updates**: The Settings tab now includes a new section to help you manage Docker Desktop updates. The **Software Updates** section notifies you whenever there’s a new update and allows you to download the update or view information on what’s included in the newer version. For more information, see Software Updates.
*   **Compose V2** You can now specify whether to use Docker Compose V2 in the General settings.
*   **Volume Management**: Volume management is now available for users on any subscription, including Docker Personal. For more information, see Explore volumes. Ships Docker Public Roadmap#215

**Upgrades**

*   Compose V2
*   Buildx 0.6.3
*   Kubernetes 1.21.5
*   Go 1.17.1
*   Alpine 3.14
*   Qemu 6.1.0
*   Base distro to debian:bullseye

**Bug fixes and minor changes**

*   Fixed a bug related to anti-malware software triggering, self-diagnose avoids calling the `net.exe` utility.
*   Fixed filesystem corruption in the WSL 2 Linux VM in self-diagnose. This can be caused by microsoft/WSL#5895.
*   Fixed `SeSecurityPrivilege` requirement issue. See docker/for-win#12037.
*   Fixed CLI context switch sync with UI. See docker/for-win#11721.
*   Added the key `vpnKitMaxPortIdleTime` to `settings.json` to allow the idle network connection timeout to be disabled or extended.
*   Fixed a crash on exit. See docker/for-win#12128.
*   Fixed a bug where the CLI tools would not be available in WSL 2 distros.
*   Fixed switching from Linux to Windows containers that was stuck because access rights on panic.log. See for-win#11899.

**Known Issue**

Docker Desktop may fail to start when upgrading to 4.1.0 on some WSL-based distributions such as ArchWSL. See docker/for-win#12229

**Docker Desktop 4.0.1**

2021-09-13

> Download Docker Desktop
> 
> For Windows

**Upgrades**

*   Compose V2 RC3
    *   Compose v2 is now hosted on github.com/docker/compose.
    *   Fixed go panic on downscale using `compose up --scale`.
    *   Fixed a race condition in `compose run --rm` while capturing exit code.

**Bug fixes and minor changes**

*   Fixed a bug where Docker Desktop would not start correctly with the Hyper-V engine. See docker/for-win#11963
*   Fixed a bug where copy-paste was not available in the Docker Dashboard.

**Docker Desktop 4.0.0**

2021-08-31

> Download Docker Desktop
> 
> For Windows

**New**

Docker has announced updates and extensions to the product subscriptions to increase productivity, collaboration, and added security for our developers and businesses.

The updated Docker Subscription Service Agreement includes a change to the terms for **Docker Desktop**.

*   Docker Desktop **remains free** for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects.
*   It requires a paid subscription (**Pro, Team, or Business**), for as little as $5 a month, for professional use in larger enterprises.
*   The effective date of these terms is August 31, 2021. There is a grace period until January 31, 2022 for those that will require a paid subscription to use Docker Desktop.
*   The Docker Pro and Docker Team subscriptions now **include commercial use** of Docker Desktop.
*   The existing Docker Free subscription has been renamed **Docker Personal**.
*   **No changes** to Docker Engine or any other upstream **open source** Docker or Moby project.

To understand how these changes affect you, read the FAQs. For more information, see Docker subscription overview.

**Upgrades**

*   Compose V2 RC2
    *   Fixed project name to be case-insensitive for `compose down`. See docker/compose-cli#2023
    *   Fixed non-normalized project name.
    *   Fixed port merging on partial reference.
*   Kubernetes 1.21.4

**Bug fixes and minor changes**

*   Fixed a bug where the CLI tools would not be available in WSL 2 distros.
*   Fixed a bug when switching from Linux to Windows containers due to access rights on `panic.log`. for-win#11899

Docker Desktop for Windows, release notes

CVE-2021-45449: Docker for Windows release notes

Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.

CVE-2021-44652: Microsoft 365 management, reporting, and auditing - ManageEngine M365 Manager Plus

Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.

CVE-2021-44650: Microsoft 365 management, reporting, and auditing - ManageEngine M365 Manager Plus

Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability.

CVE-2022-21871

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21954.

CVE-2022-21970

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21929, CVE-2022-21931.

Tag

#microsoft