| Identifier: | AIT-SA-20240514-02 |
| Target: | FIWARE Keyrock |
| Vendor: | FIWARE |
| Version: | all versions including 8.4 |
| CVE: | CVE-2024-42164 |
| Accessibility: | Remote |
| Severity: | Medium (4.3) |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
Summary
Insufficiently random values for generating password reset token in all versions of FIWARE Keyrock including 8.4 allow attackers to disable two factor authorization of any user by predicting the token for the disable_2fa link.
Proof of Concept
The algorithm that is used to create the disable_2fa_key, is predictable. An attacker could predict the “random” numbers and disable the two factor authentication of any user:
It appears the endpoints to send the disable 2f and deactivate 2f functions are both unauthenticated:
An authenticated non-admin user can create multiple password-reset-token and predict multiple future random keys and use them to disable the 2factor-auth of any user.
For further information see Manipulate passwords of any user
Vulnerable Versions
All versions including 8.4 are affected.
Tested Versions
FIWARE Keyrock 8.4
Impact
An attacker could register a new user and use the password reset token to predict the random number. Using the predicted number the attacker might be able to disable the two factor authorization for any user.
Mitigation
Currently (August 12th, 2024) there is no known mitigation.
Vendor Contact Timeline
| 2023-12-19 | Initial contact with FIWARE |
| 2024-03-01 | Asked again about the status |
| 2024-08-12 | Public disclosure |
Advisory URL
https://pentest.ait.ac.at/security-advisory/fiware-keyrock-deactivate-2-factor-auth-of-any-user/
