GHSA-XHJW-7VH5-QXQM

Vulnerability from github – Published: 2024-03-08 17:33 – Updated: 2024-11-12 21:13
VLAI?
Summary
LibOSDP RMAC revert to the beginning of the session
Details
  • Issues:
  • SCS_14 is allowed on encrypted connection (osdp_phy.c)
  • No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c)
  • Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela ted change that should be done)
  • Attack:
  • Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it.
  • While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reade r)
  • Once attacker captures a session with the message to be replayed, he stops reseting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotly to the MIMT device or setting a specific timing).
  • in order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the begining of the session.
  • At that phase - attacker can replay all the messages from the begining of the session.

Impact

Replay attack

Patches

This issue has been fixed in 298576d9214b48214092eebdd892ec77be085e5a

Severity ?
5.1 (Medium)
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "libosdp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-08T17:33:51Z",
    "nvd_published_at": "2024-11-11T20:15:20Z",
    "severity": "MODERATE"
  },
  "details": "- Issues:\n  - SCS_14 is allowed on encrypted connection (osdp_phy.c)\n  - No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c)\n  - Couldn\u0027t find anything specific in the OSDP specifications indicating it is forbidden, I\u0027m gussing it shouldn\u0027t be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela\nted change that should be done)\n- Attack:\n  - Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it.\n  - While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reade\nr)\n  - Once attacker captures a session with the message to be replayed, he stops reseting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotly to the MIMT device or setting\n a specific timing).\n  - in order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the begining of the session.\n  - At that phase - attacker can replay all the messages from the begining of the session.\n\n### Impact\nReplay attack\n\n### Patches\nThis issue has been fixed in 298576d9214b48214092eebdd892ec77be085e5a\n",
  "id": "GHSA-xhjw-7vh5-qxqm",
  "modified": "2024-11-12T21:13:28Z",
  "published": "2024-03-08T17:33:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52288"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goToMain/libosdp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibOSDP RMAC revert to the beginning of the session"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.