A security researcher has discovered 21 potential risks in Salesforce Industries. Most of these need to be addressed by customers themselves.
At the urging of security company AppOmni, Salesforce has acknowledged five vulnerabilities in the Industry Clouds, part of the Customer 360 platform. The five recognized vulnerabilities range from mild CVSS scores (5.3) to more critical ones (7.5). Attackers can exploit them to bypass security controls and steal sensitive customer information.
AppOmni’s findings are not limited to those five vulnerabilities. An additional sixteen risks can arise from incorrect configurations. However, these are the responsibility of the customer.
Own Responsibility
Researcher Aaron Costello noted that misconfigurations in Salesforce Industries could lead to session takeovers, credential theft, and unauthorized access to encrypted data, among other issues. The risks occur in various components of the cloud platform.
Salesforce admitted that five of the findings are worthy of CVE status. Three of these have already been patched. For two others, configuration guidelines have been provided, requiring action from customers. These vulnerabilities allow, among other things, guest users to read encrypted data or bypass client-side permission checks.
The remaining sixteen risks fall under the customer’s own configuration management. For example, it’s possible that components do not enforce access controls by default or that sensitive data, such as API keys, are readable by unauthorized users. Some caching mechanisms can even bypass access levels and leak data between users.
Maturity Gap
Like many cloud service providers, Salesforce adheres to the “shared responsibility principle”. This means that Salesforce provides the vault, but customers need to remember to lock it themselves. According to Costello, this is where things go wrong. The Industries platform is developed for non-technical users, which, according to the researchers, creates a “maturity gap”, as it requires the same security as traditional software.
Organizations are recommended to, among other things, restrict access rules, properly configure caching, and add extra security to sensitive components. For customers subject to regulations such as GDPR, incorrect configuration can lead to serious compliance issues.
Salesforce emphasizes via Hacker News that it has resolved the vulnerabilities it can patch itself and that other risks are the result of incorrect configurations. These can have very significant consequences, as illustrated by a series of incidents with Snowflake customers last year.