An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls from end users to query arbitrary hosts. Host responses are not returned to the client.
An XSS (Cross Site Scripting) vulnerability was publicly disclosed via a Pull Request to instructure/canvas-lms on GitHub. The vulnerability is due to a version of the MathJax dependency used in a Canvas component, which allows an attacker to use JavaScript to exploit this vulnerability via Canvas' Rich Text Editor.
Status:
All systems were patched as of 11:11 AM MT on 7/11/2019.
A security researcher supporting our ongoing bug bounty program hosted by BugCrowd identified a vulnerability in ePortfolios, which allowed an authenticated user to access files not owned by the user as part of an ePortfolio export.
Status:
All systems were patched as of 8:17 PM MT on 2/11/2019.
The following findings were recently identified by the talented security researchers supporting our ongoing bug bounty program hosted by BugCrowd:
1. XXS via ‘data-tooltip’ attribute
A security researcher discovered Canvas editors allow for data-tooltip attribute to be modified to execute a script when triggered.
2. XSS in Calendar via `data-mathml` attribute
A security researcher discovered the data-mathml attribute can be modified to execute a script when accessing a calendar event.
3. XSS in Discussions via `data-focus-returns-to` attribute
A security researcher discovered the data-focus-returns-to attribute can be modified to execute a script when accessing a discussion topic.
4. XSS in Assignments via `vdd_tooltip_link` attribute
A security researcher discovered the vdd_tooltip_link attribute can be modified, by only users having the ability to modify assignments, to execute a script when modifying an assignment.
5. XSS in Canvas editors when referencing an External App via icon_url element
A security researcher discovered the icon_url element included as part of referencing an an External App configuration can be modified to execute a script when opening any editor referencing the External App.
6. XSS in Canvas editors via data-html-while-target-shown attribute
A security researcher discovered the data-html-while-target-shown attribute can be modified to execute a script when when the associated link is clicked.
7. XSS in ePortfolios
A security researcher discovered, in ePortfolios, an element with a specific attribute can be used to execute a script when the associated button is clicked.
8. XSS in Canvas editors via a.file_preview_link
A security researcher discovered, in Canvas editors, the file_preview_link parameter can be used to execute a script when the associated link clicked.
9. XSS in Canvas Quizzes via data_url attribute
A security researcher discovered, in Canvas Quizzes, the data_url attribute can be modified (by only users having the ability to modify quizzes) to request and execute a script when accessing a quiz.
Status:
All systems were patched as of 8:57 MT on 1/31/2019.
These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. (Source: Meltdown and Spectre)
Systems Affected:
Desktop, Laptop, and Cloud computers may be affected by Meltdown. Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. (Source: Meltdown and Spectre)
Solution Status:
Patched (Meltdown; AWS Systems)
Discovered By:
Several security researchers. See "Who reported Meltdown" and "Who reported Spectre?" here: Meltdown and Spectre
Relevant Changesets:
N/A
Summary:
Last week, security researchers released findings about a couple of impactful security vulnerabilities known as Meltdown and Spectre (see https://spectreattack.com/). Openness and transparency are important to us: we want you to know how we have responded to these vulnerabilities.
Instructure systems are hosted on Amazon Web Services (AWS). One of the biggest concerns about these vulnerabilities is their impact on shared-compute infrastructure. Researchers reported these vulnerabilities to AWS and other infrastructure providers several weeks before disclosing them publicly. AWS aggressively identified and patched all exposed systems, including all infrastructure supporting Instructure’s instances. AWS describes their efforts here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
We believe the near and present attack vectors associated with these vulnerabilities have been removed as a result of AWS’ patching. Due to the nature of these vulnerabilities impacting CPUs (even on virtualized systems), Instructure is applying the associated patches (as they become available) to Instructure’s instances hosted on AWS while meeting our availability SLAs and maintenance-notification commitments.
We encourage customers to update their systems and browsers as patches become available.
Status:
All AWS systems were patched as of 20:10 MT on 01/09/2018
An open redirect at /courses/:course_id/external_tools/retrieve?url=... was discovered which did not filter URLs like https://domain.com./ with trailing dot. The form with the signed oauth post data is being created and being transmitted to the attacker's web server.
An open redirect at /courses/:course_id/lti/tool_proxy_registration?tool_consumer_url… which could have also been used to create a reflected XSS vulnerability, where a victim had permission to install an LTI tool.
Status:
All systems were patched as of 17:01 MT on 11/8/2017
An external security audit discovered a vulnerability in the QTI Migration tool which is used in converting QTI version 1.x data into QTI 2.0 content packages. The vulnerability allowed read only access to the underlying filesystem. This means that a potential attacker could read files from various system level directories where configuration and system user details are stored.
An internal forensic investigation found no evidence that the vulnerability, which has existed on the system for some time, has been exploited during the time it was present on the system.
Status:
All systems were patched as of 13:21 MT on 2/3/2017
An external security audit discovered a misconfigured whitelist for protocols allowed in href attributes for MathML tags (<math href=”...”>). This allowed a potential attacker to run javascript when a mathml tag was clicked in Safari or Firefox, where MathML is supported.
Status:
All systems were patched as of 11:01 MT on 2/7/2017
Restrict collaboration membership by context · instructure/canvas-lms@67491e3b · GitHub
Summary:
During a routine security audit of the Canvas code base and platform, a bug with permission checking for collaboration enrollment was discovered which could allow a teacher or admin to enroll users in a course collaboration that they normally would not have been allowed to be enrolled in. This could lead to a situation which would allow access to basic user information that the teacher or admin might not otherwise have access to.
Status:
All systems were patched as of 15:14 MT on 1/5/2017
In October of 2015, a code change which allowed an account admin to manage developer keys generated within their own instance of Canvas was introduced into the codebase. It was recently discovered during a routine review of the code that the permission checks had weak scope boundaries, so an admin with permissions to modify developer keys in their own instance/account, were inadvertently able to modify any developer key within the system.
For users of the open source version of Canvas, the vulnerability surface area is much smaller since there's only one root account, and typically the root account admins are also site admins, which would have permissions to alter developer keys.
Status:
The Instructure engineering team has developed, tested, and promoted a hotfix to the production Canvas platform. They have also updated the Canvas open source git repository with a security patch prior to the release of this bulletin.
Potential impact includes all platforms/sites protected by HTTPS
Solution Status:
Closed/Resolved
Discovered By:
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt
Relevant Changesets:
None
Summary:
Recently, a new SSL vulnerability was discovered by a group of security researchers. The vulnerability has been given the name "DROWN", which is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption." The gist of the vulnerability is if a site is configured to support SSLv2, which is a deprecated version of the SSL (Secure Socket Layer) protocol, the encryption can be compromised by a third party.
Status:
Instructure operations has concluded that only one of its sites/services, an internal QA tool, was configured with the deprecated version of the SSL protocol. The potentially vulnerable site has since been reconfigured to disable SSLv2 and all associated cyphers.
Because of strict network isolation between pre-production and production environment, the risk to production environments was mitigated.
During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.
Status:
All systems were patched as of 15:32 MT on 11/6/2014
Reported by customer via a third-party security assessment
Relevant Changesets:
Summary:
During a routine security audit of the Canvas code base and platform performed by a third party at the request of a csutomer, a cross site forgery request vulnerability was identified. Once identified and confirmed, the vulnerability was verified, confirmed and patched by the Instructure engineering team.
Status:
All systems were patched as of 17:53 MT on 11/19/2014
2014-11-07 (Last update can be found below the document title)
Description:
Multiple cross site scripting vulnerabilities were discovered within the Canvas codebase during a routine security audit. The cross site scripting vulnerabilities could allow for the insertion and storage of arbitrary HTML code into the Canvas application.
During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.
Status:
All systems were patched as of 15:32 MT on 11/6/2014
2014-1-14 (Last update can be found below the document title)
Description:
A vulnerability was discovered in SSLv3 which could allow a remote attacker to force a TLS downgrade negotiation, which could result in SSLv3 with weak ciphers being used. Once downgraded, the traffic is then susceptible to a man in the middle (MITM) attack
On October 14th, Google security released an advisory regarding a newly discovered SSLv3 attack. Once the Instructure InfoSec team was made aware of the advisory, it took immediate action to disable SSLv3 and its related ciphers on the Canvas platform.
Status:
All systems were patched as of 14:33 MT on 10/14/2014
2014-10-13 (Last update can be found below the document title)
Description:
A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access to files readable by the parent process.
A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible unauthorized access to files readable by the parent process.
Once the vulnerability was reported and validated, steps were immediately taken to address the vulnerability. Furthermore, a full impact analysis was performed to determine if the vulnerability had been exploited.
The Instructure InfoSec team found no evidence of an exploit.
Status:
All vulnerable systems were patched against the vulnerability on the same day it was reported.
2014-09-24 (Last update can be found below the document title)
Description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Summary: On September 24, 2014 the United States Computer Emergency Readiness Team (US-CERT) released a security bulletin regarding a newly discovered vulnerability within the GNU Bourne Again Shell (Bash), which could allow an attacker to execute arbitrary code on a target machine.
Based on the design of the Canvas platform, and active security/access controls, we determined that the risk to the Canvas platform was very low, but felt it prudent to patch all systems to remove any potential for an attack or exploit.
Status:
All systems were patched for both CVEs as of September 27, 2014
A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.
Status:
Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A vulnerability was discovered within the rubyzip gem used by Canvas which could allow an attacker to gain access to the filesystem, directories, files and/or execute arbitrary code via symbolic links.
Status:
Fixed in Canvas Cloud as of 7/24/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A vulnerability exists within version 0.1.28 of the ruby-saml-mod Ruby gem. This vulnerability could potentially allow for information leakage if the correct set of circumstances were present. This vulnerability is fixed in version 0.1.29 of the Ruby gem.
Status:
Fixed in Canvas Cloud as of 6/27/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A bug in permissions checking could allow a malicious user to initiate a course copy using a source course they do not normally have access to. This could allow access to course content that the user would not normally see.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A security audit has identified a SQL injection attack vector in the course import functionality, available to account admins and instructors.
Status:
A fix has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A bug in permissions checking could allow a malicious user to create logins in accounts that they wouldn't normally be allowed to. This could allow access to basic account information, depending on authentication settings.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing theinformation protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Status:
Amazon has confirmed that all vulnerable hosted services have been patched against the heartbleed bug. All SSL certificates and private keys for the *.instructure.com top level domain were replaced at 12:00 PM MT on April 10, 2014. We continue to work with organizations that have "vanity" URLS (e.g. canvas.organization-name.com) to replace their SSL certificates and private keys.
A bug in permissions checking could allow a malicious admin or teacher to enroll users in their course that they wouldn't normally be allowed to. This could allow access to basic user information.
Status:
Fixed in Canvas Cloud. Does not affect Canvas CV, as it is not multi-tenant.
A bug in permissions checking could allow a malicious user to mark enrollments as deleted in a course that they wouldn't normally have access to do so in. No data would be permanently lost, as the enrollment was only soft deleted and could be restored.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
A malicious user could upload a specially formed zip file in order to bypass Canvas' quota checking and extract much larger files than are meant to be allowed. This attack could potentially be used as a Denial of Service attack vector on job workers, and increase Canvas hosting costs.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
An attack against Canvas' SAML single sign-on implementation was discovered by security researchers. The attack could potentially allow a malicious Canvas user to use their valid SAML credentials to forge a login as a different user at their institution, giving them access to Canvas as that other user.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
