Date

What You Need to Know

Short Description

An issue with the LinOTP 3 Self Service login's request context safety mechanism can cause a user's session data to be mistakenly replaced with that of another user who is logged in at the same time. This error could potentially reveal personal information (like username, email, and phone number) and allow one user to access and operate with the permissions of another within the LinOTP 3 Self Service.

Affected Products

  • LinOTP 3 with all versions from LinOTP 3.0 up to LinOTP 3.2.4
  • LinOTP Virtual Appliance with LinOTP 3.0 and above (Installations based on SVA 3.0 and higher need to update to LinOTP 3.2.5 and newer)

Unaffected Products

  • LinOTP 2 up to and including the current 2.12.6 is not affected.
  • LinOTP ADFS Plugin is not affected
  • LinOTP LAP is not affected
  • LinOTP SAML IdP, LinOTP RADIUS Authentication Module, LinOTP LDAP Authentication Module are not affected.
  • LinOTP Virtual Appliance itself is not affected.

Criticality

We are currently calculating with a CVSS 3.1 score of 7.5 (high)

(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C/CR:M/IR:M/AR:M).

CVE-2023-49706 was published for this vulnerability.

Date of Publication

2023-12-19

Disclaimer:

LinOTP core authentication checks are not directly affected. The validation of logins using the LinOTP core API, including all LinOTP Authentication Modules are not directly affected. This includes all protocols (SAML, RADIUS, LDAP, ), and authentication frontends (i.e. LinOTP Authentication Provider, ADFS) which are not directly affected by this advisory.

Description

Due to an error in the multi-threading safety mechanism in the LinOTP 3 Self Service login, the session check data of a user can be overwritten with the session data of another, concurrent user. This leads to possible information disclosure (username, e-mail, phone number) and allows to act as and with the permissions of the attacked user in the LinOTP 3 Self Service.

This vulnerability could enable unauthorized access without the need for valid credentials. In specific situations, it might be possible to target an individual user. However, any unauthorized access attempts by a malicious entity would only be possible if another user is actively engaged in the self-service portal at the same time. It is important to note that previously expired sessions cannot be exploited in this context.

We currently have no evidence indicating that the identified vulnerability has been exploited.

A customer initially reported a display bug with the Self Service. After further investigations, the LinOTP team was able to identify a related vulnerability and assess its severity. We developed a fix while analyzing the behavior which is provided with this update. Other parts of LinOTP beyond the Self Service were analyzed. No additional occurrence of this implementation pattern was found. The administrative login implemented with LinOTP 3 is not affected.

The provided update to LinOTP 3.2.5 completely fixes this vulnerability. All customers running LinOTP 3 up to version 3.2.4 are strongly advised to install the newest version LinOTP 3.2.5 as soon as possible.

We are providing LinOTP 3.2.5 as a regular update for LinOTP SVA and as native packages for LinOTP 3.2.4 and older (Debian). Please refer to the installation instructions for the correct steps in your environment: Installation Instructions

Customers can contact support@linotp.de if you have any questions about the update. We are happy to assist directly and execute the update together with you, tailored to your environment.

Preventive actions

A complete fix of the vulnerability needs the installation of the provided update. If you can not install the update in a fitting time frame we provide some preventive actions.

Deactivating all active policies in the scope „selfservice“ will remove all permissions for all users. This will prevent a possible misuse until the update can be installed. Please note, regular users will also not be able to configure their tokens, until the policies are reactivated.

Deactivating the „userservice“ backend and the Self Service completely is advised if you cannot update for some time. Please contact support@linotp.de, we are happy to assist in deactivating the backend in the LinOTP configuration.

Important Measures

LinOTP 3 Self Service checks the user and the client IP of the session. A common scenario for LinOTP 3 Self Service is running a proxy or load balancer between the client and the LinOTP backend. Oversight to configure the forwarding of the client IP to LinOTP in this scenario, increases the possibility of the race condition in this advisory to occur, since the clients IP is not contributing to distinguish the session. Please refer to 1.12.4. System Config — LinOTP 3.2 documentation for details. This is independent of the current update.

We understand that this process may be inconvenient, and our technical support team is here to assist our customers.