June 6, 2024 at 08:18AM
Kiuwan, a code security firm owned by US-based Idera, took almost two years to patch critical vulnerabilities in its SAST and Local Analyzer products. Discovered by SEC Consult, the flaws included XSS, XXE injection, privilege escalation, and IDOR issues, posing significant security risks to users. Despite extensive coordination, Kiuwan’s response time raised concerns.
From the given meeting notes, the following takeaways can be generated:
– Kiuwan, a code security firm owned by US-based B2B productivity tools provider Idera, took nearly two years to patch several potentially serious vulnerabilities discovered in its static application security testing (SAST) products.
– The vulnerabilities were found by a researcher at Eviden-owned cybersecurity consultancy SEC Consult and were first reported to the vendor in November 2022. Patches were released for the cloud-based product in February 2024 and the on-premises version in late May.
– Johannes Greil, head of SEC Consult’s Vulnerability Lab, handled communications with the vendor and described it as the longest coordinated vulnerability disclosure process ever.
– The vulnerabilities include a reflected cross-site scripting (XSS) flaw affecting Kiuwan installations with SSO enabled, an XXE injection vulnerability allowing an attacker to extract operating system files, and a vulnerability allowing an attacker to escalate privileges to root.
– Kiuwan applications were also found to be impacted by an insecure direct object reference (IDOR) bug, which allows authenticated users to view information they should not have access to, as well as containing several hardcoded secrets in plain text, potentially compromising the confidentiality of scan results.
– SecurityWeek’s attempts to reach out to Kiuwan for clarifications on the lengthy patching process went unanswered.
These are the key takeaways from the meeting notes.