Security bulletin: Two CVEs and how to stay secure

You may have come across two recent CVEs declared for 4D. Please find here below the actions you must take in order to stay secure.

CVE-2023-30222: Information disclosure vulnerability

This CVE refers to an information disclosure vulnerability in all 4D versions allowing attackers to retrieve password hashes for all users via eavesdropping.

The detected vulnerability states that, when communication between client and server is encrypted (project settings), the communication can still be read in clear form by anyone having the server private key. This sounds obvious: your server private key should remain secret.

Even if 4D ships default certificate and key to ease development and testing, our documentation always strongly recommends to replace them with your own.

To ease your task at replacing such server private key, 4D v20 R4 will re-generate it automatically at each server start. This way each 4D server instance has its own – different – private key.

 

CVE-2023-30223: broken authentication vulnerability

This CVE describes a broken authentication vulnerability allowing attackers to send crafted TCP packets containing requests to perform arbitrary actions.

Such injections are possible only if the attacker has his hands on the server private key. So once again, to stay safe, be sure to replace default server keys by your own.

To further improve security of those applications, 4D provides a bugfix to only accept strictly necessary requests before authenticating. This improvement is especially relevant for 4D applications using the built-in password system. It is available starting from the following versions:

  • 4D v19.7 LTS, build 288986
  • 4D v20.2 LTS, build 100956
  • 4D v20 R2 HF1, build 100440
  • 4D v20 R3 and further

4D applications not using the built-in password system are not directly impacted by this vulnerability as their security relies on their own implementation or external directories (such as LDAP, Active Directory or Microsoft 365).

 

Conclusion

We strongly recommend to use your own server private key and keep it secret, whatever your 4D version is.

We also recommend you to upgrade 4D to its latest version and observe recommendations provided in our 4D security guide.