cnvd - cnvd-2022-23510

CNVD-2022-23510

Vulnerability from cnvd - Published: 2022-03-29

Title

Wire-server代码问题漏洞

Description

Wire-server是开源Wire安全消息应用程序的备份服务器。 Wire-server存在安全漏洞，攻击者可利用漏洞仅使用“授权”标头中的短期会话令牌来触发用户的电子邮件地址更改。

Severity

高

Patch Name

Wire-server代码问题漏洞的补丁

Patch Description

Wire-server是开源Wire安全消息应用程序的备份服务器。 Wire-server存在安全漏洞，攻击者可利用漏洞仅使用“授权”标头中的短期会话令牌来触发用户的电子邮件地址更改。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-41100

Impacted products

Name
Wire Wire-server <2021-08-16

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41100"
    }
  },
  "description": "Wire-server\u662f\u5f00\u6e90Wire\u5b89\u5168\u6d88\u606f\u5e94\u7528\u7a0b\u5e8f\u7684\u5907\u4efd\u670d\u52a1\u5668\u3002\n\nWire-server\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4ec5\u4f7f\u7528\u201c\u6388\u6743\u201d\u6807\u5934\u4e2d\u7684\u77ed\u671f\u4f1a\u8bdd\u4ee4\u724c\u6765\u89e6\u53d1\u7528\u6237\u7684\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u66f4\u6539\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-23510",
  "openTime": "2022-03-29",
  "patchDescription": "Wire-server\u662f\u5f00\u6e90Wire\u5b89\u5168\u6d88\u606f\u5e94\u7528\u7a0b\u5e8f\u7684\u5907\u4efd\u670d\u52a1\u5668\u3002\r\n\r\nWire-server\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4ec5\u4f7f\u7528\u201c\u6388\u6743\u201d\u6807\u5934\u4e2d\u7684\u77ed\u671f\u4f1a\u8bdd\u4ee4\u724c\u6765\u89e6\u53d1\u7528\u6237\u7684\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u66f4\u6539\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Wire-server\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Wire Wire-server \u003c2021-08-16"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41100",
  "serverity": "\u9ad8",
  "submitTime": "2021-10-09",
  "title": "Wire-server\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-41100 (GCVE-0-2021-41100)

Vulnerability from cvelistv5 – Published: 2021-10-04 18:25 – Updated: 2024-08-04 02:59

Summary

Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/wireapp/wire-server/security/a…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	wireapp	wire-server	Affected: < 2021-08-16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wire-server",
          "vendor": "wireapp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2021-08-16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don\u0027t need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-04T18:25:10",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
        }
      ],
      "source": {
        "advisory": "GHSA-9rm2-w6pq-333m",
        "discovery": "UNKNOWN"
      },
      "title": "Account takeover when having only access to a user\u0027s short lived token in wire-server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41100",
          "STATE": "PUBLIC",
          "TITLE": "Account takeover when having only access to a user\u0027s short lived token in wire-server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wire-server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2021-08-16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "wireapp"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don\u0027t need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285: Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m",
              "refsource": "CONFIRM",
              "url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-9rm2-w6pq-333m",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41100",
    "datePublished": "2021-10-04T18:25:10",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-23510

CVE-2021-41100 (GCVE-0-2021-41100)

Tags

Sightings

Nomenclature