UPDATED 09:00 EDT / JULY 10 2024

SECURITY

Security vulnerability in NSA training tool allowed unauthorized content modifications

Founded by President Harry Truman in 1952, the U.S. National Security Agency is supposed to provide security through intelligence gathering, but what happens when it overlooks its own security?

A new report from Contrast Security Inc. today details just that: a security vulnerability found in SkillTree, an open-source NSA training platform maintained on GitHub. The vulnerability exposed systems to cross-site request forgery attacks, allowing attackers to modify training content without proper authorization.

SkillTree was launched in 2020 and was pitched at the time as an internally developed open-source solution for gamifying user training. The vulnerability allowed attackers to target logged-in administrators and modify training content such as videos, captions and text without proper authorization.

The vulnerability was discovered through Contrast Security’s AutoAssess project and was found to be due to the lack of CSRF protections in SkillTree, particularly in endpoints that handle state-changing operations. CSRF protections are security measures that ensure requests made to a web application are legitimate and originate from the authenticated user that are typically implemented using unique tokens to prevent unauthorized state changes.

Tracked as CVE-2024-39326, the vulnerability was discovered on June 12 and rated as moderate in severity. According to the report, it exploits the absence of unique transaction tokens in multiple endpoints, which leaves the platform susceptible to unauthorized state changes.

In one example, attackers can manipulate the “/admin/projects/{projectname} /skills/{skillname}/video” endpoint to alter training materials, compromising the integrity of the training content provided by SkillTree. The manipulation can include uploading unauthorized videos or changing captions and transcripts, leading to potential misinformation or disruption of the training process.

After identifying the vulnerability, Contrast Security informed the NSA maintainers, who subsequently released a patched version of SkillTree on July 2. The fix involved implementing Spring Security’s CSRF protection, which uses the CSRF Token pattern to prevent such attacks.

While the vulnerability may only be ranked with medium severity, the fact that the U.S. chief international spying agency can’t get its security right highlights the increasing risks associated with open-source projects on platforms such as GitHub.

However, Contrast founder and Chief Technology Officer Jeff Williams points out in the report that there is “no point throwing rocks at the NSA over this,” as we are “all living in glass houses as it is.”

“Healthy security means that you will find vulnerabilities and fix them,” Williams notes. “This isn’t the story of a mistake. It’s the story of doing it right — by using great tools and fixing issues quickly.”

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU