GHSA-Q5VH-6WHW-X745

Vulnerability from github – Published: 2021-08-13 20:16 – Updated: 2024-10-07 16:44
VLAI?
Summary
Improper Authorization and Origin Validation Error in OneFuzz
Details

Impact

Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance.

To be vulnerable, a OneFuzz deployment must be: * Version 2.12.0 or greater * Deployed with the non-default --multi_tenant_domain option

This can result in read/write access to private data such as: * Software vulnerability and crash information * Security testing tools * Proprietary code and symbols

Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources.

Patches

This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's issuer against an administrator-configured allowlist.

Workarounds

Users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the --multi_tenant_domain option.

References

You can find an overview of the Microsoft Identity Platform here. This vulnerability applies to the multi-tenant application pattern, as described here.

For more information

If you have any questions or comments about this advisory: * Open an issue in OneFuzz * Email us at fuzzing@microsoft.com

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
9.5 (Critical)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onefuzz"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-346",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-13T20:16:08Z",
    "nvd_published_at": "2021-08-13T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\nStarting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance.\n\nTo be vulnerable, a OneFuzz deployment must be:\n* Version 2.12.0 or greater\n* Deployed with the non-default [`--multi_tenant_domain`](https://github.com/microsoft/onefuzz/blob/2.30.0/src/deployment/deploy.py#L1021) option\n\nThis can result in read/write access to private data such as:\n* Software vulnerability and crash information\n* Security testing tools\n* Proprietary code and symbols\n\nVia authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources.\n\n## Patches\n\nThis issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token\u0027s `issuer` against an administrator-configured allowlist.\n\n## Workarounds\n\nUsers can restrict access to the tenant of a deployed OneFuzz instance \u003c 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.\n\n## References\n\nYou can find an overview of the Microsoft Identity Platform [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview).  This vulnerability applies to the multi-tenant application pattern, as described [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant).\n\n## For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [OneFuzz](https://github.com/microsoft/onefuzz)\n* Email us at [fuzzing@microsoft.com](mailto:fuzzing@microsoft.com)",
  "id": "GHSA-q5vh-6whw-x745",
  "modified": "2024-10-07T16:44:37Z",
  "published": "2021-08-13T20:16:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/onefuzz/security/advisories/GHSA-q5vh-6whw-x745"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/onefuzz/pull/1153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/onefuzz/commit/2fcb4998887959b4fa11894a068d689189742cb1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/onefuzz"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/onefuzz/releases/tag/2.31.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onefuzz/PYSEC-2021-344.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/onefuzz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Authorization and Origin Validation Error in OneFuzz"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.