2019-06-04 14:40:46 |
Xavier Guimard |
description |
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here:
* 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
* 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.
For more, see:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
Cheers,
Xavier (yadd) <yadd@debian.org> |
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here:
* 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
* 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch
1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.
For more, see:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
Cheers,
Xavier (yadd) <yadd@debian.org> |
|