GHSA-WC43-73W7-X2F5

Vulnerability from github – Published: 2024-09-26 17:49 – Updated: 2024-09-26 21:11
VLAI?
Summary
Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials
Details

Preconditions

  • The code login method is enabled with the passwordless_enabled flag set to true .
  • A 2FA method such as totp is enabled.
  • required_aal of the whomai check or the settings flow is set to highest_available. AAL stands for Authenticator Assurance Levels and can range from 0 (no factor) to 2 (two factors).
  • A user uses the code method as the only login method available. They do not have a password or any other first factor credential enabled.
  • The user has 2FA enabled.
  • The user’s available_aal is incorrectly stored in the database as aal1 or aal0 or NULL.
  • A user signs in using the code method, but does not complete the 2FA challenge.

Example server configuration

Below you will find an vulnerable example configuration. Keep in mind that, for the account to be vulnerable, the account must have no first factor except the code method enabled plus a second factor.

selfservice:
  methods:
    code:
      # The `code` login method is enabled with the `passwordless_enabled` flag set to `true`
      passwordless_enabled: true
    totp:
      # 2FA method such as `totp` is enabled
      enabled: true
  flows:
    settings:
      # This is set
      required_aal: highest_available
session:
  whoami:
    # Or this
    required_aal: highest_available

Impact

Given the preconditions, the highest_available setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that the highest_available configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a aal2 session, even though that should be disallowed.

An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect available_aal value stored, to exploit this vulnerability.

All other aspects of the session (e.g. the session’s aal) are not impacted by this issue.

On Ory Network, only 0,00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack.

Patches

Version 1.3.0 is not affected by this issue.

Workarounds

If you require 2FA please disable the passwordless code login method. If that is not possible, check the sessions aal to identify if the user has aal1 or aal2.

Severity ?
4.4 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ory/kratos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-26T17:49:17Z",
    "nvd_published_at": "2024-09-26T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "## Preconditions\n\n- The `code` login method is enabled with the `passwordless_enabled` flag set to `true` .\n- A 2FA method such as `totp` is enabled.\n- `required_aal` of the whomai check or the settings flow is set to `highest_available`. AAL stands for Authenticator Assurance Levels and can range from 0 (no factor) to 2 (two factors).\n- A user uses the `code` method as the **only** login method available. They do not have a password or any other first factor credential enabled.\n- The user has 2FA enabled.\n- The user\u2019s `available_aal` is incorrectly stored in the database as `aal1` or `aal0` or `NULL`.\n- A user signs in using the code method, but does not complete the 2FA challenge.\n\n**Example server configuration**\n\nBelow you will find an vulnerable example configuration. Keep in mind that, for the account to be vulnerable, the account must have no first factor except the `code` method enabled plus a second factor.\n\n```\nselfservice:\n  methods:\n    code:\n      # The `code` login method is enabled with the `passwordless_enabled` flag set to `true`\n      passwordless_enabled: true\n    totp:\n      # 2FA method such as `totp` is enabled\n      enabled: true\n  flows:\n    settings:\n      # This is set\n      required_aal: highest_available\nsession:\n  whoami:\n    # Or this\n    required_aal: highest_available\n```\n\n## Impact\n\nGiven the preconditions, the `highest_available` setting will incorrectly assume that the identity\u2019s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed.\n\nAn attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability.\n\nAll other aspects of the session (e.g. the session\u2019s aal) are not impacted by this issue.\n\nOn Ory Network, only 0,00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack.\n\n### Patches\n\nVersion 1.3.0 is not affected by this issue.\n\n### Workarounds\n\nIf you require 2FA please disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`.",
  "id": "GHSA-wc43-73w7-x2f5",
  "modified": "2024-09-26T21:11:01Z",
  "published": "2024-09-26T17:49:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45042"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ory/kratos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ory Kratos\u0027s setting required_aal `highest_available` does not properly respect code + mfa credentials"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.