# Security Update for LinOTP 3 - CVE-2023-49706 CVE Identifier: CVE-2023-49706 Product: LinOTP 3 SelfService Issue Date: 2023-12-18 Criticality (CVSS 3.1): 7.5 (high) Publisher: netgo software GmbH - LinOTP Team References: * https://linotp.org/security-update-linotp3-selfservice.html * https://linotp.org/CVE-2023-49706.txt # CVE-2023-49706: LinOTP 3 Self Service issue in session security ## Description An issue with the LinOTP 3 Self Service login's request context safety mechanism can cause a user's session data to be mistakenly replaced with that of another user who is logged in at the same time. This error could potentially reveal personal information (like username, email, and phone number) and allow one user to access and operate with the permissions of another within the LinOTP 3 Self Service. ## Affected Products * LinOTP 3 on native installations with all versions from LinOTP 3.0 up to LinOTP 3.2.4 * LinOTP Virtual Appliance with LinOTP 3.0 and above (Installations based on SVA 3.0 and higher need to update to LinOTP 3.2.5 and newer) ## Unaffected Products * LinOTP 2 up to and including the current 2.12.6 is **not** affected. * LinOTP ADFS Plugin is **not** affected * LinOTP LAP is **not** affected * LinOTP SAML IdP, LinOTP RADIUS Authentication Module, LinOTP LDAP Authentication Module are **not**affected. * LinOTP Virtual Appliance itself is **not** affected. ## Criticality We are currently calculating with a CVSS 3.1 score of 7.5 (high) (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C/CR:M/IR:M/AR:M). ## Date of Publication 2023-12-18 | *Disclaimer:* LinOTP core authentication checks are not directly affected. | The validation of logins using the LinOTP core API, including all LinOTP | Authentication Modules are not directly affected. This includes all protocols | (SAML, RADIUS, LDAP, ), and authentication frontends (i.e. LinOTP | Authentication Provider, ADFS) which are not directly affected by this | advisory. ## Description Due to an error in the multi-threading safety mechanism in the LinOTP 3 Self Service login, the session check data of a user can be overwritten with the session data of another, concurrent user. This leads to possible information disclosure (username, e-mail, phone number) and allows to act as and with the permissions of the attacked user in the LinOTP 3 Self Service. This vulnerability could enable unauthorized access without the need for valid credentials. In specific situations, it might be possible to target an individual user. However, any unauthorized access attempts by a malicious entity would only be possible if another user is actively engaged in the self-service portal at the same time. It is important to note that previously expired sessions cannot be exploited in this context. As of now, there's no evidence that this vulnerability has been exploited. It was initially reported as a display bug by a customer, leading to its discovery and subsequent fix in the LinOTP 3.2.5 update. The vulnerability is limited to the Self Service component; other LinOTP components, including the administrative login, are unaffected. Organisations using LinOTP 3 versions up to and including 3.2.4 should urgently upgrade to version 3.2.5. This update, available for LinOTP SVA and as native packages, can be accessed through the provided installation instructions. (https://linotp.org/resources/linotp-3-2-5-update-instructions.html) Customers can contact support for assistance. If an immediate update is not possible, it is recommended to deactivate all "selfservice" policies or even the "userservice" backend to prevent misuse. Note: When using LinOTP 3 Self Service with a proxy or load balancer, ensuring proper client IP forwarding is crucial to avoid exacerbating this vulnerability. Details can be found in the LinOTP 3.2 System Config documentation. (https://linotp.org/doc/latest/part-management/system-config.html#tab-client-identification)