Cyble-blogs-Apex

Overview

The Indian Computer Emergency Response Team (CERT-In) has warned users about five high-severity vulnerabilities in Apex Softcell’s mobile stock trading and back-office platforms.

The 32-year-old private company focuses on products and solutions for capital markets and the financial industry, making any vulnerability potentially critical.

According to the CERT-In advisory published last week, the vulnerabilities affect Apex Softcell LD Geo versions prior to 4.0.0.7 and LD DP Back Office versions prior to 24.8.21.1 and could allow a remote attacker to perform user enumeration, bypass OTP verification, manipulate unauthorized transactions, or gain unauthorized access to sensitive information of other user accounts.

Affected Products and Vulnerabilities

The affected products include Apex Softcell LD Geo versions prior to 4.0.0.7 and Apex Softcell LD DP Back Office versions prior to 24.8.21.1. Several vulnerabilities have been identified but not yet announced, including CVE-2024-47085, CVE-2024-47086, CVE-2024-47087, CVE-2024-47088, and CVE-2024-47089.

CVE-2024-47085: Parameter Manipulation Vulnerability

This vulnerability exists in the LD DP Back Office because of improper validation of the parameters “cCdslClicentcode” and “cLdClientCode” in the API endpoint. Authenticated remote attackers could exploit this vulnerability via the manipulation of parameters in the API request body, leading to the exposure of sensitive information belonging to other users.

CVE-2024-47086: OTP Bypass Vulnerability

Another LD DP Back Office vulnerability, this one caused by improper implementation of an OTP validation mechanism in certain API endpoints, could be exploited by an authenticated remote attacker who provides arbitrary OTP values for authentication, subsequently changing the API response, and bypassing OTP verification for other user accounts.

CVE-2024-47087: Information Disclosure Vulnerability

This vulnerability in LD Geo is due to improper validation of certain parameters (Client ID, DPID, or BOID) in the API endpoint. Authenticated remote attackers could exploit this vulnerability by manipulating parameters in the API request body, leading to sensitive information exposure.

CVE-2024-47088: User Enumeration Vulnerability

This vulnerability in LD Geo is created by missing restrictions for excessive failed authentication attempts on its API-based login. Remote attacks could exploit this by conducting a brute force attack on login OTP, which could lead to unauthorized access to other user accounts.

CVE-2024-47089: Unauthorized Transaction Manipulation Vulnerability

This LD Geo vulnerability is caused by improper validation of the transaction token ID in the API endpoint. Authenticated remote attackers could exploit this by manipulating the transaction token ID in the API request, leading to unauthorized access and modification of transactions belonging to other users.

Users should upgrade Apex Softcell LD Geo to version 4.0.0.7 and Apex Softcell LD DP Back Office to version 24.8.21.1.

Conclusion

Remote attackers could manipulate transactions, bypass authentication, and access sensitive user information, and the implications of these vulnerabilities could be severe. To mitigate these risks, all users of Apex Softcell LD Geo and LD DP Back Office must immediately upgrade to the latest versions—4.0.0.7 and 24.8.21.1, respectively. Proactive measures and timely updates are essential to monitor and secure sensitive financial data as well as maintain the integrity of trading operations.

Mitigation and Recommendations

  • Users must upgrade to Apex Softcell LD Geo version 4.0.0.7 and LD DP Back Office version 24.8.21.1 to close the identified vulnerabilities.
  • Ensure that all API endpoints validate input parameters rigorously to prevent parameter manipulation and unauthorized access.
  • Employ anomaly detection systems to identify unusual patterns, such as excessive failed login attempts, which may indicate brute-force attacks.
  • Perform periodic security assessments and penetration testing on the trading platforms to identify and address vulnerabilities proactively.
  • Train users to recognize potential phishing attempts and unauthorized access attempts, reinforcing the importance of strong, unique passwords.
  • Enforce the principle of least privilege, granting users only the access necessary for their roles, thereby reducing the impact of a compromised account.
  • Subscribe to security advisories and maintain awareness of newly discovered vulnerabilities related to the software in use to ensure timely responses.

The post Apex Softcell Flaws Could Lead to Unauthorized Transactions, CERT-In Warns appeared first on Cyble.