Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37268: SSO user can login as another SSO only user

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn’t need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been addressed in commit 8173f6512a and in releases starting with version 0.7.3. Users are advised to upgrade. Users unable to upgrade should require their users to use a second factor in authentication.

CVE
Open in Source
#sql#vulnerability#web#linux#git#auth#ssh#docker

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

When SSO(i only check custom sso with on-premiss gitlab), I can login another user with sso user or password user.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

  • 2 user with Sngle sign-on enabled(victim / my-real-user)
  • In login interface, Username=(victim), and push Enter button(not sso nor Login button)
  • SSO interface(for me, on-premiss gitlab), login my-real-user
  • login success with victim user

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.
I write details.

Impact

What kind of vulnerability is it? Who is impacted?

any users with only sso(without totp) or only password(without totp)

detail my config

environment: docker-compose + ghcr.io/warp-tech/warpgate:latest(ea9291a75109, v0.7.2? web interface says v0.7.1)

docker log is:

warpgate_1  | 02:06:19 ERROR HTTP: Auth rejected
warpgate_1  | 02:06:19  WARN HTTP: Request failed method=POST url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/auth/login status=401 Unauthorized
warpgate_1  | 02:06:20  INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/sso/providers/custom/start status=200 OK
warpgate_1  | 02:06:20  INFO HTTP: SSO login as $my-real-username@mail-domain
warpgate_1  | 02:06:20  INFO HTTP: Authenticated username=victim
warpgate_1  | 02:06:20  INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/sso/return?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&state=XXXXXXXXXXXXXXXXXXXXXX status=307 Temporary Redirect
warpgate_1  | 02:06:20  INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate status=200 OK session=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX session_username=victim
warpgate_1  | 02:06:20  INFO HTTP: Request method=GET url=https://warpgate-onpremiss-domain.domain:port/@warpgate/api/info status=200 OK session=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX session_username=victim

victim:

  • credentials
    • SSO
  • Auth policy
    • SSH: In-browser auth
    • HTTP: SSO
    • MySQL: none
  • User roles
    • warpgate:admin

my-real-user:

  • credentials:
    • SSO
  • Auth policy
    • SSH: In-browser auth
    • HTTP: SSO
    • MySQL: none
  • User roles
    • none

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE