Valuable medical research data is seriously affected by multiple LabKey vulnerabilities

Cybersecurity researchers found a total of three vulnerabilities in a popular open source medical data collaboration tool. Sadly it seems that this important piece of software leaves important healthcare research data and potentially subject information unprotected in front of multiple cross-site scripting (XSS) cyber attacks.

For those who don’t know, LabKey Server is a software suite available for scientists to integrate, analyze and share biomedical research data. The platform is, in fact, a data repository that allows web-based querying, reporting and collaborating across a range of data sources.

The danger is very much present and real because if a hacker exploits them it will easily steal the targeted victims’ credentials whit a simple click on a malicious link.

Affected by those 3 bad news is LabKey Server Community Edition 18.2-60106.64, which if it is exploited properly it will give to an unauthenticated hacker the possibility to run arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.

If the new cyber attack hits hard on LabKey then the websites, public health organizations, medical research centers, and universities around the globe will receive a big blow that can have aggravated consequences.
During a basic Shodan search, cybersecurity researchers found multiple LabKey servers, which are very vulnerable to this kind of attack and to make everything much worse researchers say that these LabKey servers are very easy to find because they use a very distinctive set-cookie header that contains X-LAB-CSRF.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

The 3 big problems:
The first vulnerability is CVE-2019-3911- an XSS flaw that leverages not validated query functions.
If it is exploited a cross-site scripting attack becomes possible which will allow a hacker to run arbitrary code within the context of the user’s browser.

The second flaw is CVE-2019-3912 – if exploited it will allow open redirects because of the unsanitized returnUrl function.
The third is CVE-2019-3913 – a logic flaw present in LabKey Server’s network drive mapping functionality. It gives to a hacker administrative access to LabKey Server’s web interface.

An example of possible attack scenario for CVE-2019-3912 would be this: a hacker will set up a fake login page, then he or she will send it to an unsuspecting victim to log în into LabKey server and steal the login credentials.

If a hacker chooses to exploit CVE-2019-3911 the cyber attack will look like this: the hacker will create a malicious link, which will contain an extra malicious Javascript that will be executed by the victim’s once it accesses the browser. After the execution, the Javascript will send the user’s cookies to the hacker — that will then have access to the victim’s sessionID
LabKey has released version server 18.3.0-61806.763; all users are urged to update as soon as possible.

We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.