Email Received for:: Critical: Mura Security Vulnerability Discovered - Immediate Remediation Required

[Dave Hunsberger]

We received an email with this thread subject line, purporting to be from " john...@murasoftware.com".  I verified the murasoftware.com domain, and we reached out to that email address to query for more information (in case the email was spoofed) , and were responded to with a quote for $5k/install to patch old mura installs, or to upgrade version + patch for $6k/install, so the email address seems monitored/legit, and the John Haff does seems to work for Mura, according to a web search.

The full text of the emails is below (and truthfully reads like a scam email), just was wondering if anyone else running mura < 10 also received these emails.  We are not necessarily planning on following up further, unless this does turn out to be an actual incident, with multiple reports of the need for a patch (and even then, seems like patch file would be posted here at some point, not on a per-install charge basis).

I would think this would have been a major announcement that warranted more than just an email if it were true, no?

=== BEGIN FULL EMAIL TEXT ====

Hi Dave,

During our recent Mura security testing, we found a security vulnerability in Mura that requires installation of a patch to remediate the issue. If exploited, a hacker could gain access to the administrative capabilities of Mura thereby allowing the hacker control of your websites and other protected website assets.  

If you are still using Mura, we strongly suggest upgrading to Mura 10, the current, supported version of Mura. This will address the current vulnerability, and potential issues in the future (along with other significant feature upgrades).

We are also providing the option to assist you with installing the patch in older, unsupported versions of Mura for a fee. This would allow you time to decide next steps while remediating the current security issue.

Please reply for more information about either option. We are available to assist right away.

The security issue is an authentication vulnerability found in all versions of Mura CMS. Specifically, an authentication vulnerability found in the Mura administrator login process needs to be updated to avoid any potential exploitation. To date, there have been no known exploitation incidents outside of security testing that brought this to our attention. To prevent unauthorized access to your Mura CMS, you can contact us to upgrade and/or manually update your older version.

Thank you for your attention to this important matter. We appreciate your use of Mura in the past and want to ensure your security needs can be addressed even if you are using an unsupported version.

Best regards,

Dave

=== END FULL EMAIL TEXT ====

( i did note that they used my name to sign off instead of theirs, which screamed scam)

We requested more information, and received reply:

 ==== BEGIN RESPONSE EMAIL TEXT ====

Hi Dave,

Regarding the security vulnerability, it is an authentication vulnerability found in the login process that needs to be updated to avoid any potential exploitation.

We have two paths forward for the fix. We offer to install the patch on one Mura instance for one-time fee of $5,000 USD. To install the patch on additional Mura instances, we’d just charge time materials for the time applying the patch, if it requires additional time.

The other option, which we strongly recommend, is purchasing a license to upgrade for $6,000 USD/yr per domain. This includes the patch in the mean time, and gives you the option to upgrade to the supported version and will mitigate risk for any incident like this in the future.

I’ll draft up a formal ordering document for whichever path seems to best fit your needs.

Thank you very much,

John

 ==== END RESPONSE EMAIL TEXT ====

[Vincent de Winter]

Hi Dave,

That is quite a lot of money. As an alternative - we can make you a better deal. We can migrate you to the latest version of the MasaCMS. We wrote the actual fix to the discovered vulnerability. 

Cheers

Vincent

--
You received this message because you are subscribed to the Google Groups "Mura Digital Experience Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mura-cms-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mura-cms-developers/0c96da39-f733-4964-a92a-b58d748b8d01n%40googlegroups.com.

[Dave Hunsberger]

Vincent, exactly what our response was too!

I actually saw a post about MasaCMS on here (may have been one of yours, even), and installed it easily, and it's on the table for internal discussion to potentially move in that direction, appreciate the response!

Do you mind expounding on the fix at all, was it a complete admin auth rewrite, or some tweaks that can be done to mitigate the attack vector if someone were to patch their own install?

Thanks either way,

-Dave

[Guust Nieuwenhuis]

Hi Dave,

The fix did not require a complete rewrite of the admin auth. Just some conditionals that had to be tweaked.

Kind regards,

Guust

[Brian Reilly]

Hi Dave,

I’m joining this conversation late, but this is very disappointing to read.  

>> During our recent Mura security testing, we found a security vulnerability [...]

This is not a security vulnerability that Mura Software found during their security testing.  This was a vulnerability that was responsibility disclosed to them — I know, because I was the person who found it and responsibly disclosed it to them.  :)

Given the Mura re-licensing in 2021, I was also curious about the upgrade options for organizations who were running unsupported, open source versions of Mura CMS.  I was told by Mura Software that they have  "[…]a private repo that we grant access to at no cost.  The branches are not actively maintained anymore, except for things like this."  I don’t know if you were offered free access to a patch which you’d need to deploy/apply yourself, in addition to paid options for them to perform the upgrades — but if you weren’t, that’s ridiculous.  Security patches should be provided at no cost.  

As Guust has said — this was a simple fix for a high-impact vulnerability.  
If the security issue hasn't been resolved in your environment yet, drop me a note and I'm happy to provide more info.

Regards,

Brian

[Dave Hunsberger]

Thanks Guust, for your clarification, and Brian for your due diligence in reporting this & keeping active on the topic!

I've taken a look at both the MASA rememberme fix that Brian linked to, and the private muracms repo with purportedly the fixes updated, and it looks to me like it's related to or narrowly scoped to the remember me functionality on both the user and admin login.

For our mura usage, we made the decision years ago to remove the 'remember me' ability for a user upon login (which seems to fix half the issue), but we still have the admin toggle available.

It looks like for muracms the patch is confined to the config/appcfc/onRequestStart_include.cfm for the logic (adding to the if-case conditionals), the rest of the patch is for adding a 'remember me' configuration option & checking it before output of the remember me checkbox/toggle, and in the MASA, adds logic to core/mura/login/loginManager.cfc as well.

It seems to me this is an easy path, relating to not showing the remember me ability on login pages, and updating the onRequestStart logic to add the new conditionals.

We also have logic in about half our sites that on a successful login, if there are remember me cookies, instantly perform a logout so they are removed, and I'm happy to share that onSiteLoginSuccess logic if anyone needs it.

Brian/WeAreNorth team, does the conditinals fix outlined above ( along with the removal of the remember me login option on forms) cover the exposure for this vulnerability, or is there additional exposure to worry about?

Thanks for keeping this discussion alive!

-Dave

[Brian Reilly]

Hi Dave,

I want to avoid diving into any technical detail before March 6 (the agreed-upon disclosure date; 90 days after patch availability) but I can say that I believe the patches are sufficient to remediate the vulnerability.  

Thanks,

Brian

[Dave Hunsberger]

Brian, appreciate the reply, I'll make a note to check back on 3/6 for further disclosure.

Thanks,

-Dave