TSplus Remote Access Insecure Permissions Information Disclosure Vulnerability

A vulnerability in TSplus Remote Access versions prior to 17.30 allows remote attackers to retrieve a list of all domain accounts currently connected to the application. This information disclosure flaw can be exploited through an unauthenticated HTTP request to the hb.exe endpoint.

Impact

Exploitation of this vulnerability allows for the retrieval of connected domain accounts, which can be used for targeted phishing or vishing attacks, and could facilitate further intrusions.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated HTTP request to the /cgi-bin/hb.exe endpoint. This request will trigger the endpoint to respond with a list of all domain accounts currently connected to the TSplus application.

Remediation

TSplus has released a patch for this vulnerability in the beta version of Remote Access. The patch removes the user listing from the /cgi-bin/hb.exe endpoint and introduces a new endpoint, /api/loadbalancing/load, on port 19955, which requires signed messages with a timestamp for authentication.