For Quentin Rhoads-Herrera, this was not a typical security test.
A big municipal government in the U.S. had just handed him the source code for software the city uses to manage contracts and track infrastructure projects.
He unpacked the code, sifted through it, and found more than a dozen previously undisclosed vulnerabilities, or zero-days, that a hacker could exploit to manipulate data or dump user passwords. But it was more than just a catalog of bugs: Poring over the code, Rhoads-Herrera found the names of two other city governments that have used the software.
The product, known as CIPAce, has been used by public and private sector organizations to collect invoices and manage contracts and budgets, according to CIPPlanner Corp., the company that makes it.
“If one attacker happens to exploit this city, then they can look and see, easily, every other city that’s using this … and attack them using the same methods,” said Rhoads-Herrera, a penetration tester at CriticalStart, a Texas-based cybersecurity company. He tried to contact another municipality to warn it about the issue.
Rhoads-Herrera says he hasn’t seen any malicious hackers exploit the vulnerabilities in CIPPlanner’s software. Zero-days in important software can be big problems for any organization, but for municipalities, the effects can be magnified. City governments are often cash-strapped and struggle to upgrade the technology on which they depend. A deluge of ransomware attacks has only served to expose how vulnerable public-sector agencies can be.
Reached by phone, Wayne Xie, a principal at CIPPlanner, said it was an “ongoing battle” to safeguard any software from hackers. “We continue to update the software and do penetration tests,” Xie said. He declined to discuss CIPPlanner’s clients or how many people work at the company.
Parts of CIPPlanner’s website don’t appear to have been updated in years. Two of the listed clients contacted by CyberScoop said they had stopped using the software. The company does have active contracts with an agency at a U.S. city government and with a county government in another state, according to data from those localities.
After months of working with his client to mitigate the vulnerabilities, Rhoads-Herrera said he’s raising awareness about them through a report released Thursday. The report does not name the cities affected. CyberScoop has shared the findings with the MS-ISAC, the threat-sharing body for states and municipalities, which is investigating.
Rhoads-Herrera’s client, he said, has worked with CIPPlanner to address the issue.
The vulnerabilities found by CriticalStart could allow a hacker, without even authenticating on the network, to disclose information on internal databases or upload a malicious “web shell” to manipulate data. CriticalStart deemed two of the bugs “critical” because they could allow a hacker to inject malicious code into the software platform.
“Every single vulnerability we found in this application was unauthenticated,” said Rhoads-Herrera, who was skeptical of CIPPlanner’s claim that it does independent penetration tests. “And leaking passwords is definitely a critical issue, especially since I used it to VPN into their environment with ease.”
Rhoads-Herrera said he was encouraged by the fact that the municipality was “so involved in trying to actually secure their infrastructure.” The city IT team would email him during the penetration test to say they had noticed his activity on the network, he said.
That proactive approach to security is all the more important with people across the country working remotely during the coronavirus pandemic. Knowing who should and shouldn’t be remotely logging into your network can be the difference between properly managing a workforce and having corporate data stolen.
Featured in CyberScoop | April 3, 2020
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.