Public Disclosure: Serious Security flaw in Accruent's MRO.
On November 30, 2022, our issue research team discovered a critical security vulnerability in Accruent's Maintenance Connection Email to Work Order component. We immediately reported the issue to Accruent's security team, and following industry standards opened case CVE-2022-46501 with Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46501).
The risk lies within Accruent's MRO software's Email to WorkOrder component. If you have upgraded to MC versions 2021.2 through the current shipping version and are using the Email to WorkOrder feature, someone can send an email that compromises your system. This risk applies to anyone using the feature on the same server.
This security bug is critical as it allows a bad actor to access and disclose non-public information, modify stored information, and in many server configurations, jump out of the MC sandbox to access internal systems. The potential consequences of such unauthorized access could be devastating.
Moreover, this bug also poses a significant risk of accidental self-exploitation. It is possible to trigger the bug accidentally, leading to the loss of essential work requests. This can cause significant damage and lost income, potentially amounting to millions of dollars.
We did not run any tests to prove the point on any 'live' servers, especially since it was so easy to explain. Accruent responded on December 2nd, 2022 that they agreed with our analysis and level of severity and were working on a priority upgrade to fix it.
This is a VERY serious breach of security. If you have more than one Accruent database - if even one of them have this feature turned on in the Accruent version of MC and the Accruent MC is currently installed, then ALL of them and the server and the network devices are directly at risk. If you are running a SaaS, then if any customer turns this on, ALL of your customers and visible computers in the network are at risk.
At the end of December Accruent provided us with a proposed patch that we tested, reviewed the code and confirmed that the patch was a good fix as far as we can tell and test.
With customers that have their Accruent's MRO supported through us, we have already worked with affected customers to apply a patch or insure they are not using the feature so none of our customers are at risk.
We have contacted Accruent several times since December 2022 when they sent us the proposed fix for our comment (we confirmed to them it was a good fix.) But as of 2023.02.28, Accruent has not informed us of a publicly available upgrade or patch to fix this problem.
In accordance with industry standards, we are reporting that 90 days have passed since we reported the security flaw to Accruent, and unfortunately, they have not made the patch publicly available as an upgrade to customers. We hope that they will release it soon. In the meantime, we strongly urge all Accruent customers to request an upgrade that includes the fix and to implement it immediately upon its availability.
In the meantime, we recommend all affected customers to turn OFF the Email to Work order Accruent MRO feature on all of their systems, including test/training systems and put controls in place to make sure no one turns it back on.
We take the security of our customers seriously and will continue to work closely with Accruent to ensure that all customers are protected from potential security threats.
Update 2023.03.02 Accruent confirms their cloud now has the fix. Currently unkown date for other customers.