CVE-2019-12046: anonymous session allowed when tokens are stored in session DB

Bug #1829016 reported by Xavier Guimard on 2019-05-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lemonldap-ng (Debian)
Fix Released
Unknown
lemonldap-ng (Ubuntu)
High
Unassigned

Bug Description

Hi all,

during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
 - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
   enabled (default) and tokens are stored in session DB (not default,
   used with poor load-balancers), the token can be used to open an
   anonymous short-life session (2mn). It allows one to access to all
   aplications without additional rules
 - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
   stored in sessions DB (not default), tokens can be used to have an
   anonymous session
 - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
   is allowed, mail token can be used to have an anonymous session.

You can find Debian patchs here:
 * 1.9.x series (Bionix/Cosmic): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/stretch-security/debian/patches/CVE-2019-12046.patch
 * 2.0.x series (Disco): https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/blob/master/debian/patches/CVE-2019-12046.patch

1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.

For more, see:
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
 - https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744

Cheers,
Xavier (yadd) <email address hidden>

CVE References

Changed in lemonldap-ng (Debian):
status: Unknown → Fix Released
Steve Beattie (sbeattie) wrote :

Making public as the issues are public elsewhere.

information type: Private Security → Public Security
Changed in lemonldap-ng (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Xavier Guimard (x-guimard) wrote :

Debian Version 1.3.3-1+deb8u1 (LTS) fixes also this bug for 1.3.x versions

Xavier Guimard (x-guimard) wrote :

Hello,

bug is easy to fix, at least for 18.04 (just to import Debian package). Is there a problem with this upgrade ?

description: updated
Xavier Guimard (x-guimard) wrote :

Is there a security team in Ubuntu ?

tags: added: community-security
Alex Murray (alexmurray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.