Canonical URL has changed. See here for updates.
Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.
- Catalis - CMS360 is used in Georgia, Mississippi, Ohio, and Tennessee. Catalis is a "government solutions" company that provides a wide array1 of public record, payment, and regulatory/compliance platforms.
While all of the platforms allowed unintended public access to restricted documents, the severity varied based on the levels of restrictions that could be bypassed and the discoverability of document IDs. The methods used to exploit each of the vulnerabilities also varied, but could all be performed by an unauthenticated attacker using only a browser's developer tools.
Catalis - CMS360
To view documents, URLs with numeric document and case IDs were used. This allowed an unskilled attacker to stumble upon restricted documents by simply incrementing the document ID in the document URL.
Many courts configured CMS360 to disallow document viewing altogether, making it very difficult to guess document IDs, so it is unclear whether documents could be viewed if document IDs were discovered. Many courts also require a login to view cases, so it is not known whether those courts allowed viewing images.
- CVE-2023-6341: Catalis (previously Icon Software) CMS 360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.
- 2023-07-17 - Vulnerability discovered in Catalis' CMS360.
- 2023-09-14 - Report for CMS360 sent to Jason Parker at Jeltz by "Eli", for further research.
- 2023-09-30 - Report #1 for CMS360 sent to Catalis - no response.
- 2023-10-02 - Report #2 for CMS360 sent to Catalis - no response.
- 2023-10-02 - Report for all vulnerabilities sent to CERT Coordination Center (CERT/CC).
- 2023-10-03 - Report #3 for CMS360 sent to Catalis, detailing report to CERT/CC - no response.
- 2023-10-04 - Report for all vulnerabilities sent to Cybersecurity and Infrastructure Security Agency (CISA) by CERT/CC.
- 2023-10-06 - Report #4 for CMS360 sent to Catalis, with disclosure timeline and CISA hand-off details - no response.
- 2023-11-01 - Response from Catalis, after discussion with CEO Scott Roza.
- 2023-11-03 - Vulnerability confirmed fixed in CMS360.
- 2023-11-30 - Disclosure published.
| Vendor | Platform | IDs Available | Access | Fix Date |
|---|---|---|---|---|
| Catalis / ICON Software | CMS360 | No | R | 2023-11-03 |
Key:
- IDs Available:
- Whether restricted document IDs are available to an attacker.
- Access:
- R - Sealed, Confidential, Pending Redaction, and/or VOR (Viewable on Request).
- U - Unredacted.
- Z - Attackers can view partial details of cases marked as restricted.
- "Eli", who discovered the first set of court vulnerabilities and has been a major contributor throughout the process. [Is this how most adults find and make friends?]
- Andrew Crocker and Hannah Zhao from the Electronic Frontier Foundation, who were there in a time of need.
- Josh Renaud from St. Louis Post-Dispatch, who provided much needed early guidance and previously fought the fight that made it so I didn't have to, earning him a Press Freedom Award.
- Jaku founder of Crowd Control, who frequently offered his cybersecurity wisdom and experience.
- Zack Whittaker from TechCrunch, who immediately recognized the severity and jumped at the chance to learn more2.
- judyrecords.com, who handled the first round of fallout from court security issues.
- The Arkansas Administrative Office of the Courts, who allowed me to present my findings in an effort to avoid the same pitfalls when building their own court platform.
- Dedications to the Fediverse furries, who provided plenty of amusement after my Bluesky / AT Protocol vulnerability publications. I see you.
- The CISA CVD Team assisted with the coordination of these vulnerabilities3.
- Email: north@ꩰ.com
- Press: press@jeltz.org
- Mastodon: @north@ꩰ.com
- If you enjoy my work, consider becoming a sponsor on Patreon or GitHub, and/or consider donating to the Electronic Frontier Foundation or St. Jude. Several hundred hours of unpaid labor have been put into researching and disclosing these vulnerabilities; no vendors have provided or offered any bounties.
- Enumeration: The process of systematically probing a system to discover valuable information, such as document names or user accounts, by incrementing values in a URL or input field.
- Brute Force Attack: A method of trial-and-error used to obtain information such as a password or PIN. In this case, it refers to repeatedly trying different document IDs to find restricted documents.
- Obfuscation: The practice of making something difficult, but not impossible, to understand. In a security context, obfuscation might be used to make files or code less readable, thereby hiding information from unauthorized users.
- Developer Tools: A set of tools included in most web browsers that allow developers to inspect the underlying code of a web page, monitor network requests, and test live JavaScript code among other functionalities.
- Query Parameter: A way to pass data in a URL, typically used in GET requests to web servers, which can be manipulated for purposes such as accessing unauthorized data.
- Cache Directory: A temporary storage location on a computer where frequently accessed data is kept to speed up retrieval.
- AES: A specification for the encryption of electronic data, standing for Advanced Encryption Standard.
- Session Cookie: A small piece of data sent from a website and stored by the user's web browser while the user is browsing, used to remember stateful information for the duration of the browsing session or some other expiry timeout.
Footnotes
-
Catalis states on their website that "in less than five years [we have] strategically acquired and combined more than 30 public sector software companies". Learning and merging infrastructure after an acquisition takes a large amount of effort. Juggling 30 acquisitions would be a monumental undertaking that reduces focus on other necessary areas of business (e.g. securing legacy platforms). ↩
-
TechCrunch: Security flaws in court record systems used in five US states exposed sensitive legal documents ↩
-
Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems ↩