Headline
CVE-2023-45669: Merge pull request from GHSA-v9hx-v6vf-g36j · webauthn4j/webauthn4j-spring-security@129700d
WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. This issue has been addressed in version 0.9.1.RELEASE
. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Expand Up
@@ -16,6 +16,7 @@
package e2e;
import com.webauthn4j.springframework.security.authenticator.WebAuthnAuthenticatorService;
import com.webauthn4j.springframework.security.webauthn.sample.SampleSPA;
import e2e.page.AuthenticatorLoginComponent;
import e2e.page.PasswordLoginComponent;
Expand All
@@ -34,18 +35,24 @@
import org.openqa.selenium.support.ui.WebDriverWait;
import org.openqa.selenium.virtualauthenticator.HasVirtualAuthenticator;
import org.openqa.selenium.virtualauthenticator.VirtualAuthenticatorOptions;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
import java.time.Duration;
import static org.assertj.core.api.Assertions.assertThat;
@RunWith(SpringRunner.class)
@SpringBootTest(classes = SampleSPA.class, webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
public class RegistrationAndAuthenticationE2ETest {
private WebDriver driver;
private WebDriverWait wait;
@Autowired
private WebAuthnAuthenticatorService webAuthnAuthenticatorService;
@BeforeClass
public static void setupClassTest() {
WebDriverManager.chromedriver().setup();
Expand Down Expand Up
@@ -86,8 +93,10 @@ public void test() {
signupComponent.waitRegisterClickable();
signupComponent.clickRegister();
// Password authentication
wait.until(ExpectedConditions.urlToBe(“http://localhost:8080/angular/login”));
long counterValueAtRegistrationPhase = webAuthnAuthenticatorService.loadAuthenticatorsByUserPrincipal(“[email protected]”).get(0).getCounter();
// Password authentication
PasswordLoginComponent passwordLoginComponent = new PasswordLoginComponent(driver);
passwordLoginComponent.setUsername(“[email protected]”);
passwordLoginComponent.setPassword(“password”);
Expand All
@@ -98,6 +107,10 @@ public void test() {
// nop
wait.until(ExpectedConditions.urlToBe(“http://localhost:8080/angular/profile”));
long counterValueAtAuthenticationPhase = webAuthnAuthenticatorService.loadAuthenticatorsByUserPrincipal(“[email protected]”).get(0).getCounter();
assertThat(counterValueAtAuthenticationPhase).isGreaterThan(counterValueAtRegistrationPhase);
ProfileComponent profileComponent = new ProfileComponent(driver);
}
Expand Down
Related news
Improper signature counter value handling ### Impact A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator detection does not work. An attacker who cloned valid authenticator in some way can use the cloned authenticator without being detected. ### Patches Please upgrade to `com.webauthn4j:webauthn4j-spring-security-core:0.9.1.RELEASE` ### References For more details about WebAuthn signature counters, see [WebAuthn specification 6.1.1. Signature Counter Considerations](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-sign-counter). ### Reporter This issue was discovered by Michael Budnick (@mbudnick)