Headline
CVE-2022-46172: Existing Authenticated Users can Create Arbitrary Accounts
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4.
Summary
Any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also have carry over consequences to other applications being how these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations.
Patches
authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue.
Impact
This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
Details
This vulnerability has already been submitted over email, this security advisory serves as formalization towards broader information dissemination. This vulnerability pertains to the user context used in the default-user-settings-flow. /api/v3/flows/instances/default-user-settings-flow/execute/
PoC
We conducted our testing in a kubernetes environment (Minikube and also verified in EKS).
We applied the authentik helm chart as per the official instructions https://goauthentik.io/docs/installation/kubernetes/ barring the expected changes to secret keys and passwords this looks like:
authentik: secret_key: “PleaseGenerateA50CharKey” # This sends anonymous usage-data, stack traces on errors and # performance data to sentry.beryju.org, and is fully opt-in error_reporting: enabled: true postgresql: password: “ThisIsNotASecurePassword”
ingress: enabled: true hosts: - host: authentik.domain.tld paths: - path: “/” pathType: Prefix
postgresql: enabled: true postgresqlPassword: “ThisIsNotASecurePassword” redis: enabled: true
We further modified our values.yaml slightly to ensure we were using the specific version of authentik by adding the following:
image: repository: ghcr.io/goauthentik/server tag: 2022.11.3
We applied the helm chart to get a functioning authentik installation, which we can now use for verifying this issue.
Create a standard non-admin user with no particular permissions, which can be done in any method you deem fit via your admin user.
This non-admin user logs in.
This non-admin user goes to the following url https://<AUTHENTIK_FULL_DOMAIN>/if/flow/default-user-settings-flow/ or attempts to change their username any admin username like akadmin (which will take them to the previous url via dialogue box instead).
The non-admin user now can enter any details they like to create an arbitrary account, and repeat visits the the url will create an arbitrary number of accounts.
It should be noted this only works for low privilege scenarios where a user already exists. This does not work when attempting to visit the url without being first logged in.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]