Risk to assign system admin privileges by restricted admin users (eGov14136)

Last update: 11 March 2022

ID: eGov14136

Affected Components: Fabasoft eGov-Suite 2019/2020/2021/2022

Severity: not scored

Status: Final

First published: 10.03.2022

CVEs: -

Summary

Users with a position that has not granted system administrative permissions, may have permissions to edit their own user object, allowing them to self-assign a user role / position with system administrative permissions.

In the Fabasoft eGov-Suite, some positions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") are limited administrative positions, but have permissions to edit their own user object to add the "Systemadministration" position to their own and others user object.

Dependent to the Fabasoft Solution and custom ACLs at the customer's installation, the security leak may or may not be exploited by restricted administrators.

Impact

A Fabasoft eGov-Suite user with restricted administrative permissions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") may be possible to edit the own user object. The user would be possible to add a user role with full administrative privileges. 

Remediation

Please double-check all active user objects for the assigned user roles. Check, that only allowed users have the System Administration position.

Hotfix information

Fabasoft provides hotfixes for the following Fabasoft eGov-Suite versions:

  • Fabasoft eGov-Suite 2022 (from 22.0.0.244.18)
  • Fabasoft eGov-Suite 2021 Update Rollup 3 (from 21.1.3.24.121)
  • Fabasoft eGov-Suite 2020 Update Rollup 5 (from 20.1.5.70.34)
  • Fabasoft eGov-Suite 2019 Update Rollup 3 (from 19.2.3.131.51)

The correction is already included in:

  • Fabasoft eGov-Suite 2022 Update Rollup 1
  • Fabasoft eGov-Suite 2022 April Release

With the corrected functionality, a special security check is performed when the user roles and tenants are tried to be changed. Furthermore, an auditlog entry is written on any change of the user roles.

 

Fabasoft recommends to contact your Fabasoft representative to check your installation against the issue.