|
Message-ID: <92dbfa1d939d4940b121deed26f1e2f4@sba-research.org> Date: Thu, 6 Jun 2024 10:44:13 +0000 From: SBA Research Security Advisory <advisory@...-research.org> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: [SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3 - Password Hash Disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 # CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure # Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure ## Vulnerability Overview ## The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. * **Identifier** : SBA-ADV-20240202-01 * **Type of Vulnerability** : Exposure of Sensitive Attributes * **Software/Product Name** : [Two-Factor Authentication](https://plugins.craftcms.com/two-factor-authentication?craft4) * **Vendor** : [Born05](https://www.born05.com/en/) * **Affected Versions** : 3.3.1, 3.3.2 and 3.3.3 * **Fixed in Version** : 3.3.4 * **CVE ID** : CVE-2024-5657 * **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N * **CVSS Base Score** : 3.7 (Low) ## Vendor Description ## > Craft 4 plugin for two-factor or two-step login using Time Based OTP (TOTP, > like Google Authenticator). Source: <https://github.com/born05/craft-twofactorauthentication> ## Impact ## Assuming that an attacker obtains the session of a victim. Then, the attacker is able to retrieve the password-hash of the victim, which constitues an authorization vulnerability. In general, users should not even be able to read their own password hashes. In the worst case the attacker is able to obtain the cleartext password by cracking the password hash. Then, the attacker can disable MFA from within the hijacked session and consecutively establish new sessions in the context of the victim. ## Vulnerability Description ## After submitting the `authenticationCode`, the server responds in case of success, with the password hash of the authenticated user. The `authenticationCode` is the time-based one-time password associated with the authenticatd user. This `authenticationCode` can be submitted on at least the following endpoints: 1. `/index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fsettings%2Fturn-on` 2. `/index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fverify%2Flogin-process` The first endpoint is used to enroll a second factor, while the second endpoint is used in the authentication process to verify the second factor. A user who has two factor authentication enabled is not protected from this attack, since two factor authentication can be disabled and re-enrolled without entering a password. After re-enrolling the attack will obtain the password-hash. The HTTP response that contains the password-hash has the HTTP header `Cache-Control: no-cache, no-store, must-revalidate` set, meaning, the browser does not cache the response. Due to the disclosure of the password hash, there is the possibility that the attacker is able to prolong the access to the account beyond the lifetime of a single session obtained from the victim. Furthermore, the attacker might use the password in credential stuffing attacks against other services. ## Proof of Concept ## Assuming that an attacker is in control of the session of a victim. If the victim has two factor authentication enabled, the attacker can disable it. The plugin then reveals a newly generated shared secret which the attacker can use to calculate the current one-time password. With the following request the attacker reenables two factor authentication. ```http POST /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fsettings%2Fturn-on HTTP/1.1 Host: example.com Cookie: CraftSessionId=[...]; [...] { "authenticationCode": "123456" } ``` If the `authenticationCode` is a valid TOTP, the server returns a response containing the password hash of the victim. ```http HTTP/1.1 200 OK [...] { [...] "user": { "password": "$2y$13$[...]", [...] } } ``` ## Recommended Countermeasures ## We recommend to update to version 3.3.4 or later, which applies the following countermeasure. We suggest to never disclose the password hash to the user. ## Timeline ## * `2024-02-02`: Identified the vulnerability in version 3.3.2 * `2024-02-04`: Contacted the Maintainer * `2024-02-05`: Vulnerability disclosed to the Maintainer * `2024-02-07`: Requested CVE from MITRE * `2024-02-08`: Maintainer released version 3.3.3 which is still vulnerable * `2024-02-08`: Maintainer fixed the vulnerability in version 3.3.4 * `2024-06-04`: SBA Research becomes a CNA * `2024-06-05`: SBA Research assigned CVE-2024-5657 * `2024-06-06`: Public disclosure ## References ## * Advisory regarding a similar vulnerability in CraftCMS (CVE-2022-37783): <https://at-trustit.tuvaustria.com/tuev-trust-it-cves/cve-disclosure-of-password-hashes/> ## Credits ## * Fabian Funder ([SBA Research](https://www.sba-research.org/)) * Jakob Pachmann ([SBA Research](https://www.sba-research.org/)) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmZhkvgACgkQ+7iGL1j3 dbLpig//foQUBAbmK0YJahf/LLBJDIQ6l7/nt/OlJotWhkfEG/3kxmGlf/BXZ1V4 Yh1NPMWTMX1pMYA0xRGI8s0OUG51OEfEBpXEPYDYPo/G/Zx1qBBlp8UDJZ+1wwIu sUqc+lg/i3QicRB6ZvFF88yac4/BItMn2guUuDMqPHeMuIuwBuM9FZuFazg2syOY 7y5hc3X8OxhTuVRbXYfVVFMpj2/Y96OtRV7j/5cCH2LeJi2k5pCCycZbU92yb/HQ SnKW0HhXNXAzGdlSIq/kF/5AjNZVMumRbpjS1HvLnxE7Wu/2HzFK9EP9MtzpqzB+ 6hFnxQjfOM+jVsG9Rwe6sQW+2JLof8JcVdiYVTEPgE0yjo0LmAXsi4oD6VJcnwNM qrmTG/HZ8T9+nrhLKbzIsiGhlRaDxkVECesUvY0C6mp+9Wvppd7xIMhd+coEEPM8 4w64vaW7up1gFzN4lAxutaTg8obWW8H6QER/RKWRRqVcQh93By9vvG0dXqS/WkXx eEG+radMCzGEq/9ntVpSAS2OAMxpFEr7Bz92QdUZeVYbyG/l+5oM9MiZJoRCBffY BTJhl06jENKZ1ysIaAzgYLAhOZbjlmaAvvJQuLZlUdX4eSmPV49zacs97eFZi3oU 2V//0QH8EUGWQk7oa0I11pyuEjZ2E913o3jK7gFUHZEF21nqe2E= =7rI1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.