CVE-2019-12046: anonymous session allowed when tokens are stored in session DB
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| lemonldap-ng (Debian) |
Fix Released
|
Unknown
|
||
| lemonldap-ng (Ubuntu) |
High
|
Unassigned |
Bug Description
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here:
* 1.9.x series (Bionix/Cosmic): https:/
* 2.0.x series (Disco): https:/
1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.
For more, see:
- https:/
- https:/
- https:/
- https:/
Cheers,
Xavier (yadd) <email address hidden>
CVE References
Changed in lemonldap-ng (Debian): | |
status: | Unknown → Fix Released |
Xavier Guimard (x-guimard) wrote : | #1 |
Steve Beattie (sbeattie) wrote : | #2 |
Making public as the issues are public elsewhere.
information type: | Private Security → Public Security |
Changed in lemonldap-ng (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
Xavier Guimard (x-guimard) wrote : | #3 |
Debian Version 1.3.3-1+deb8u1 (LTS) fixes also this bug for 1.3.x versions
Xavier Guimard (x-guimard) wrote : | #4 |
Hello,
bug is easy to fix, at least for 18.04 (just to import Debian package). Is there a problem with this upgrade ?
description: | updated |
Xavier Guimard (x-guimard) wrote : | #5 |
Is there a security team in Ubuntu ?
tags: | added: community-security |
Alex Murray (alexmurray) wrote : | #6 |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/
Fix for Xenial can be inspired from https:/ /gitlab. ow2.org/ lemonldap- ng/lemonldap- ng/commit/ 3a21d1d9dd6b6db 1b937244e559dfd 5bef77e3c4