Ubuntu
lemonldap-ng package

CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

Bug #1829016 reported by Xavier Guimard
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lemonldap-ng (Debian)
Fix Released
Unknown
lemonldap-ng (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Hi all,

during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
 - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
   enabled (default) and tokens are stored in session DB (not default,
   used with poor load-balancers), the token can be used to open an
   anonymous short-life session (2mn). It allows one to access to all
   aplications without additional rules
 - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
   stored in sessions DB (not default), tokens can be used to have an
   anonymous session
 - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
   is allowed, mail token can be used to have an anonymous session.

You can find Debian patchs here:
 * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
 * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch

1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.

For more, see:
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744

Cheers,
Xavier (yadd) <email address hidden>

See original description

CVE References

Bug Watch Updater (bug-watch-updater)
Changed in lemonldap-ng (Debian):
status: Unknown → Fix Released
Revision history for this message
Xavier Guimard (x-guimard) wrote :

Fix for Xenial can be inspired from https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/3a21d1d9dd6b6db1b937244e559dfd5bef77e3c4

Revision history for this message
Steve Beattie (sbeattie) wrote :

Making public as the issues are public elsewhere.

information type: Private Security → Public Security
Changed in lemonldap-ng (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Xavier Guimard (x-guimard) wrote :

Debian Version 1.3.3-1+deb8u1 (LTS) fixes also this bug for 1.3.x versions

Revision history for this message
Xavier Guimard (x-guimard) wrote :

Hello,

bug is easy to fix, at least for 18.04 (just to import Debian package). Is there a problem with this upgrade ?

description: updated
Revision history for this message
Xavier Guimard (x-guimard) wrote :

Is there a security team in Ubuntu ?

tags: added: community-security
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.