FUN WITH LINUX

FIWARE Keyrock: Deactivate 2-factor-auth of any user

12 August 2024

Identifier: AIT-SA-20240514-02
Target: FIWARE Keyrock
Vendor: FIWARE
Version: all versions including 8.4
CVE: CVE-2024-42164
Accessibility: Remote
Severity: Medium (4.3)
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

Insufficiently random values for generating password reset token in all versions of FIWARE Keyrock including 8.4 allow attackers to disable two factor authorization of any user by predicting the token for the disable_2fa link.

Proof of Concept

The algorithm that is used to create the disable_2fa_key, is predictable. An attacker could predict the “random” numbers and disable the two factor authentication of any user:

Code with predictable Math.random()

It appears the endpoints to send the disable 2f and deactivate 2f functions are both unauthenticated:

Code with unauthenticated routes

An authenticated non-admin user can create multiple password-reset-token and predict multiple future random keys and use them to disable the 2factor-auth of any user.

For further information see Manipulate passwords of any user

Vulnerable Versions

All versions including 8.4 are affected.

Tested Versions

FIWARE Keyrock 8.4

Impact

An attacker could register a new user and use the password reset token to predict the random number. Using the predicted number the attacker might be able to disable the two factor authorization for any user.

Mitigation

Currently (August 12th, 2024) there is no known mitigation.

Vendor Contact Timeline

2023-12-19 Initial contact with FIWARE
2024-03-01 Asked again about the status
2024-08-12 Public disclosure

Advisory URL

https://pentest.ait.ac.at/security-advisory/fiware-keyrock-deactivate-2-factor-auth-of-any-user/

[ Programming  Web  Security  Ruby  Rails  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti