GHSA-MH8G-HPRG-8363
Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-10-20 18:03Impact
The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:
<sec:remember-me key="opencast" user-service-ref="userDetailsService" />
This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.
Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.
Patches
This problem is fixed in Opencast 7.6 and Opencast 8.1
Workarounds
We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:
<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />
References
- Relevant lines in the security configuration
- Spring Security Remember-Me Authentication Documentation
For more information
If you have any questions or comments about this advisory: - Open an issue in opencast/opencast - For security-relevant information, email us at security@opencast.org
Thanks
Thanks to @LukasKalbertodt for reporting the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5222"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-30T20:48:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe security configuration in `etc/security/mh_default_org.xml` enables a remember-me cookie based on a hash created from the [username, password, and an additional system key](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html). Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:\n\n```xml\n\u003csec:remember-me key=\"opencast\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\nThis means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.\n\nSuch an attack will usually not work on different installations \u2013 assuming that safe, unique passwords are used \u2013 but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.\n\n### Patches\n\nThis problem is fixed in Opencast 7.6 and Opencast 8.1\n\n### Workarounds\n\nWe strongly recommend updating to the patched version. Still, as a workaround for older versions, in `etc/security/mh_default_org.xml`, set a custom key for each server:\n\n```xml\n\u003csec:remember-me key=\"CUSTOM_RANDOM_KEY\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\n### References\n\n- [Relevant lines in the security configuration](https://github.com/opencast/opencast/blob/161ee619382f144dc35eea211fc6b556025b98e1/etc/security/mh_default_org.xml#L335-L336)\n- [Spring Security Remember-Me Authentication Documentation](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html#remember-me-hash-token)\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at [security@opencast.org](mailto:security@opencast.org)\n\n### Thanks\nThanks to @LukasKalbertodt for reporting the issue.",
"id": "GHSA-mh8g-hprg-8363",
"modified": "2021-10-20T18:03:56Z",
"published": "2020-01-30T21:21:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5222"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hard-Coded Key Used For Remember-me Token in Opencast"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.