Attack Chain

1. An attacker gains unauthorized access to the TYPO3 backend, potentially through brute-force attacks or stolen credentials.
2. The attacker navigates to the backend user settings module.
3. A legitimate user or the attacker changes their password within the module while the TYPO3 instance is running version 14.2.0.
4. The SetupModuleController processes the password change request.
5. Instead of properly hashing the password, the SetupModuleController stores it in cleartext in the uc and user_settings fields of the be_users database table.
6. An attacker with database access can now retrieve the cleartext passwords from these fields.
7. The attacker uses the compromised credentials to impersonate the user and gain access to sensitive data or perform unauthorized actions.

Impact

Successful exploitation of this vulnerability allows attackers with database access to retrieve cleartext passwords, potentially leading to complete compromise of backend user accounts. While the vulnerability is limited to TYPO3 CMS version 14.2.0, the impact on affected instances is significant, as administrative accounts could be hijacked, allowing attackers to modify website content, install malicious extensions, or exfiltrate sensitive data. This could result in data breaches, financial loss, and reputational damage.

Recommendation

• Upgrade to TYPO3 version 14.3.0 LTS to address the underlying vulnerability (reference: Solution section).
• Execute the User Settings Scrubbing wizard in the TYPO3 Install Tool to sanitize existing cleartext passwords in the uc and user_settings fields (reference: Solution section).
• Require affected backend user accounts to reset their passwords immediately (reference: Solution section).
• Monitor database access logs for suspicious activity, especially access to the be_users table (reference: Attack Chain).
• Deploy the Sigma rule provided below to detect potential unauthorized access attempts following password changes.