CVE-2020-14011 information

Hi,

Thank you for bringing this to our attention. To start off with, it's important to note that, currently, a correctly configured Lansweeper installation is not vulnerable. We do however, leave at least some of this in the hands of our users, instead of enforcing it. There's a fine balance between security, user friendliness and accessibility.

We take the security of our product very seriously and have always acted quickly to investigate and address suspected vulnerabilities. It’s unfortunate we have to address this retroactively as the responsible disclosure procedures were not followed. I've added an overview before of what this vulnerability means, how it can be mitigated and how we'll address it going forward.



Summary of the vulnerability


A default Lansweeper installation has the built-in admin account enabled. This allows anyone that knows the URL of the web console and who can access it from their machine to log on as the built-in admin. The focus of the vulnerability report centers around logging on with the built-in admin to send commands (deployments) to scanned computers. The vulnerability also indicates that it's theoretically possible for a Lansweeper installation to be accessible through the internet.


Impact of the vulnerability

• The built-in admin being enabled: this account is indeed enabled when Lansweeper is first installed. This gives the user an opportunity to configure Lansweeper, including restricting access to specific accounts. The purpose of this account is to make it easier to configure Lansweeper for a first time user. With this account all features available in the web console are accessible.
  
• The Lansweeper web console being accessible from the internet: a default Lansweeper installation will not be accessible from the internet. When Lansweeper is first installed, a Windows firewall rule is added to help ensure the web console is accessible from external machines within the same LAN. Lansweeper does not implement any changes to publish the web console to the internet.
  
• Merely logging on as the built-in admin alone will not allow you to deploy commands towards external computers. In addition to this a Lansweeper installation also needs to contain these computers in inventory, the appropriate admin credentials need to have been added and the deployment requirements must be met
  
• Logging on with the built-in admin does not give the user access to critical information such as reading out credentials.
  
• If you don't have the built-in admin enabled, this vulnerability does not apply to you.
  

How the vulnerability is already addressed

• A warning is currently displayed under Configuration\Website Settings when the built-in admin is enabled.
  The built-in admin can be disabled via the Configuration\Website Settings menu.
  
• We advise against publishing your web console to the internet, should you choose to do so, make sure to:
  -Restrict access to the web console, ensuring only whitelisted users can log on and disable the built-in administrator account as mentioned above: https://www.lansweeper.com/knowledgebase/restricting-access-to-the-web-console/
  -Make sure to disable the http port of your web console, which can also be done via Configuration\Website Settings. If you're using IIS, this is configured via IIS Manager instead.
  -Make sure to bind a valid certificate to the listen port of your web console. If you already have a certificate and use IIS Express, you can follow these instructions: https://www.lansweeper.com/knowledgebase/how-to-configure-ssl-in-iis-express/
  

Addressing the vulnerability going forward


While the vulnerability can be already fully negated as it stands, in all versions listed in the report, we'll make further improvements. Our aim is to give the user more information and more choices on how to configure access to Lansweeper from the moment it's first used. We'll also add more prominent information about the current accessibility status of the web console.