The Indian Computer Emergency Response Team (CERT-In) has reported multiple high-severity vulnerabilities in Apex Softcell’s mobile stock trading and back-office platforms.
The Apex Softcell vulnerabilities, if left unaddressed, could lead to severe consequences, including unauthorized transactions and the bypassing of essential security measures like One-Time Passwords (OTPs).
With over three decades of experience providing solutions for the capital markets and financial industries, Apex Softcell’s vulnerabilities are particularly concerning for its user base.
Overview of the Apex Softcell Vulnerabilities
According to CERT-In’s advisory, five specific Apex Softcell vulnerabilities affect the Apex Softcell LD Geo and LD DP Back Office products. These flaws are present in versions of LD Geo prior to 4.0.0.7 and LD DP Back Office before 24.8.21.1.
The identified risks could enable remote attackers to execute various malicious activities, including user enumeration, OTP verification bypass, manipulation of transactions, and unauthorized access to sensitive user data.
Among the Apex Softcell vulnerabilities highlighted are CVE-2024-47085, CVE-2024-47086, CVE-2024-47087, CVE-2024-47088, and CVE-2024-47089. Each of these issues poses unique risks to the integrity and security of the trading platforms.
Details of the Vulnerabilities in Apex Softcell
CVE-2024-47085: Parameter Manipulation Vulnerability
This vulnerability affects the LD DP Back Office and arises from improper validation of specific parameters in the API endpoint. Authenticated attackers could exploit this flaw by manipulating the request body, potentially exposing sensitive information belonging to other users.
CVE-2024-47086: OTP Bypass Vulnerability
Another significant vulnerability in the LD DP Back Office results from a flawed implementation of the OTP validation mechanism. This issue could allow authenticated attackers to bypass OTP verification by providing arbitrary OTP values, compromising the security of user accounts.
CVE-2024-47087: Information Disclosure Vulnerability
In the LD Geo platform, improper parameter validation can lead to this information disclosure vulnerability. Attackers could exploit this flaw to access sensitive data by manipulating parameters in API requests.
CVE-2024-47088: User Enumeration Vulnerability
This vulnerability stems from insufficient restrictions on failed authentication attempts. Remote attackers can exploit this flaw through brute-force methods, allowing them to gain unauthorized access to user accounts.
CVE-2024-47089: Unauthorized Transaction Manipulation Vulnerability
This critical vulnerability is caused by improper validation of transaction token IDs in the API endpoint. Authenticated attackers could manipulate these IDs to gain unauthorized access and modify transactions belonging to other users.
Recommended Actions for Users
To protect against the Apex Softcell vulnerabilities, users are strongly advised to upgrade their systems immediately. Apex Softcell LD Geo should be updated to version 4.0.0.7, and LD DP Back Office should be upgraded to version 24.8.21.1. These updates are crucial for closing the identified vulnerabilities and securing sensitive financial operations.
Additionally, organizations should ensure that all API endpoints rigorously validate input parameters to prevent unauthorized access and manipulation. Implementing anomaly detection systems can help identify unusual patterns, such as excessive failed login attempts that may indicate a brute-force attack. Regular security assessments and penetration testing should also be conducted to proactively identify and address vulnerabilities.
Conclusion
The vulnerabilities identified in Apex Softcell’s platforms are serious threats that could result in unauthorized transactions and compromised user information. With the financial stakes involved, all users of Apex Softcell need to take proactive measures to secure their systems. By upgrading to the latest versions and implementing robust security protocols, organizations can significantly reduce the risks associated with these Apex Softcell vulnerabilities.