mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-29 01:31:20 +00:00
180 lines
12 KiB
JSON
180 lines
12 KiB
JSON
{
|
|
"id": "CVE-2021-41129",
|
|
"sourceIdentifier": "security-advisories@github.com",
|
|
"published": "2021-10-06T20:15:19.897",
|
|
"lastModified": "2024-11-21T06:25:32.307",
|
|
"vulnStatus": "Modified",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "Pterodactyl es un panel de administraci\u00f3n de servidores de juegos de c\u00f3digo abierto construido con PHP 7, React y Go. Un usuario malicioso puede modificar el contenido de una entrada \"confirmation_token\" durante el proceso de autenticaci\u00f3n de dos factores para hacer referencia a un valor de cach\u00e9 no asociado con el intento de inicio de sesi\u00f3n. En casos excepcionales, esto puede permitir a un actor malicioso autenticarse como un usuario aleatorio en el Panel. El usuario malicioso debe dirigirse a una cuenta con la autenticaci\u00f3n de dos factores habilitada y luego debe proporcionar un token de autenticaci\u00f3n de dos factores correcto antes de ser autenticado como dicho usuario. Debido a un fallo de comprobaci\u00f3n en la l\u00f3gica que administra la autenticaci\u00f3n de usuario durante el proceso de autenticaci\u00f3n de dos factores, un usuario malicioso puede enga\u00f1ar al sistema para que cargue las credenciales de un usuario arbitrario modificando el token enviado al servidor. Este fallo de autenticaci\u00f3n est\u00e1 presente en el m\u00e9todo \"LoginCheckpointController@__invoke\" que maneja la autenticaci\u00f3n de dos factores para un usuario. Este controlador busca un par\u00e1metro de entrada de la petici\u00f3n llamado \"confirmation_token\" que se espera que sea una cadena alfanum\u00e9rica aleatoria de 64 caracteres que hace referencia a un valor dentro de la cach\u00e9 del Panel que contiene un valor \"user_id\". Este valor es usado para recuperar el usuario que ha intentado iniciar sesi\u00f3n y buscar su token de autenticaci\u00f3n de dos factores. Debido al dise\u00f1o de este sistema, cualquier elemento de la cach\u00e9 que contenga s\u00f3lo d\u00edgitos podr\u00eda ser referenciado por un usuario malicioso, y cualquier valor almacenado en esa posici\u00f3n ser\u00eda usado como el \"user_id\". Se presentan algunas \u00e1reas diferentes del Panel que almacenan valores en la cach\u00e9 que son enteros, y un usuario que determine cu\u00e1les son esas claves de la cach\u00e9 podr\u00eda pasar una de esas claves que causar\u00eda que esta v\u00eda de c\u00f3digo hiciera referencia a un usuario arbitrario. En el fondo, se trata de una vulnerabilidad de alto riesgo para omitir el inicio de sesi\u00f3n. Sin embargo, hay algunas condiciones adicionales que deben cumplirse para que esto se ejecute con \u00e9xito, en particular 1.) La cuenta a la que hace referencia la clave de cach\u00e9 maliciosa debe tener habilitada la autenticaci\u00f3n de dos factores. Una cuenta sin la autenticaci\u00f3n de dos factores causar\u00eda una excepci\u00f3n en la l\u00f3gica de autenticaci\u00f3n, saliendo as\u00ed de este flujo de autenticaci\u00f3n. 2.) Incluso si el usuario malicioso es capaz de hacer referencia a una clave de cach\u00e9 v\u00e1lida que hace referencia a una cuenta de usuario v\u00e1lida con autenticaci\u00f3n de dos factores, debe proporcionar un token de autenticaci\u00f3n de dos factores v\u00e1lido. Sin embargo, debido al dise\u00f1o de este endpoint, una vez que se encuentra una cuenta de usuario v\u00e1lida con la autenticaci\u00f3n de dos factores habilitada, no hay l\u00edmite de velocidad presente, permitiendo as\u00ed a un atacante hacer combinaciones de fuerza bruta hasta tener \u00e9xito. Esto conlleva a una tercera condici\u00f3n que debe cumplirse: 3.) Durante la duraci\u00f3n de esta secuencia de ataque, la clave de cach\u00e9 a la que se hace referencia debe seguir existiendo con un valor v\u00e1lido de \"user_id\". Dependiendo de la llave espec\u00edfica que se est\u00e9 usando para este ataque, este valor puede desaparecer r\u00e1pidamente, o ser cambiado por otras interacciones aleatorias del usuario en el Panel, fuera del control del atacante. Para mitigar esta vulnerabilidad, se modific\u00f3 la l\u00f3gica de autenticaci\u00f3n subyacente para utilizar un almac\u00e9n de sesi\u00f3n cifrado, cuyo valor no puede ser controlado por el usuario. Esto elimin\u00f3 por completo el uso de un valor controlado por el usuario. Adem\u00e1s, se audit\u00f3 el c\u00f3digo para asegurar que este tipo de vulnerabilidad no est\u00e1 presente en otros lugares"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"baseScore": 8.1,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 2.2,
|
|
"impactScore": 5.9
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
"baseScore": 6.8,
|
|
"accessVector": "NETWORK",
|
|
"accessComplexity": "MEDIUM",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "PARTIAL",
|
|
"integrityImpact": "PARTIAL",
|
|
"availabilityImpact": "PARTIAL"
|
|
},
|
|
"baseSeverity": "MEDIUM",
|
|
"exploitabilityScore": 8.6,
|
|
"impactScore": 6.4,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": false
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-502"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-639"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-807"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-287"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "1.0.0",
|
|
"versionEndExcluding": "1.6.2",
|
|
"matchCriteriaId": "39D8D800-578B-42AB-BFCA-6FA76ABDDAE7"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Release Notes",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Patch",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Release Notes",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Release Notes",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Patch",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Release Notes",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |