Dear Sir or Madam
We are pleased to inform you that the recent security issue related to the web client and backend LDAP authentication vulnerability in our software has been successfully resolved. Your security and satisfaction are our top priorities, and we would like to provide you with a comprehensive report on the resolution of this issue, including a detailed analysis of the root cause of the problem.
Summary of the problem:
On Monday, November 13, 2023, a customer informed us that it was possible to log in to the web client without a password. In the immediately initiated analysis, we found that the case did not occur in the cloud or on-premise without LDAP authentication. In fact, the case only occurred in some on-premise environments in combination with a certain configuration of LDAP authentication. The case only occurred on the web client. The other apps were not affected.
Cause:
Our security investigation revealed that the web client allowed an attempt to log in without a password, and some LDAP servers are configured for authentication to allow and release requests without authentication (Unauthenticated simple Bind). These settings made it possible to authenticate and successfully log in to the web client without a password.
Measures:
Software update: We have fixed this vulnerability in the latest backend version 18.4.2 by no longer allowing empty passwords in the input field of the web client. In addition, the backend checks the password field before a request is sent to the LDAP server.
Configuration changes: In addition, we strongly recommend updating the configuration on the LDAP server and generally prohibiting unauthenticated simple Bind.
Details on the fix:
The updated software version ensures that the web client checks whether a password has been entered in the first instance. If no password has been entered, the login process will not continue. The backend, in turn, receives the request from a client and also checks whether a password has been entered in the login. If the backend determines that the password is empty, no request is made to the LDAP server. The potentially existing vulnerability has thus been effectively minimised in the case of authentication against LDAP. At the same time, the strongly recommended configuration of the LDAP can fundamentally eliminate the vulnerability found - and also comprehensively protect other apps and services that rely on the LDAP as the central instance of authentication.
Next steps:
We strongly recommend immediately updating to the latest software version 18.4.2 and reviewing your LDAP configuration to ensure it reflects our recommendation. This proactive step will maximise the security of your accounts and data.
Thank you:
We would like to express our sincere appreciation for your cooperation and understanding during this process. Your patience and support were essential in resolving this security issue quickly.
Continued commitment:
Please be assured of our ongoing commitment to security and reliability. We are constantly endeavouring to take comprehensive and proactive measures to protect your information in the best possible way.
Contact us:
If you encounter any difficulties during the update process or have any further questions, please do not hesitate to contact our support team at +49 89 1222199 23 or support@teamwire.eu.
Your trust in our software is very important to us, and we endeavour to maintain the highest standards of security and performance.
Thank you for your attention on this matter.
Best regards,
Your Customer Success team 🌟
