Date
1 - 4 of 4
[HIGH] CVE-2016-6651: Privilege Escalation in UAA
|
Molly Crowther
CVE-2016-6651: Privilege Escalation in UAA
Severity High Vendor Cloud Foundry Foundation Versions Affected - Cloud Foundry release v242 and earlier versions - UAA release v3.7.0 & earlier versions - UAA bosh release (uaa-release) v16 & earlier versions Description A privilege escalation vulnerability has been identified with the /oauth/token endpoint in UAA allowing users to elevate the privileges in the token issued. Mitigation OSS users are strongly encouraged to follow one of the mitigations below: - Upgrade to Cloud Foundry v243 [1] or later - For standalone UAA users - For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4] - For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.8 [5] - For users using UAA bosh release, please upgrade to UAA-Release v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or v11.7 [8] if upgrading to v3.3.0.6[4] Credit SAP HCP Security Team References - [1] https://github.com/cloudfoundry/cf-release/releases/tag/v243 - [2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3 - [3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5 - [4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6 - [5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8 - [6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17 - [7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6 - [8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7 History2016-09-26: Initial vulnerability report published |
|
|
|
Molly Crowther
Hello all,
toggle quoted message
Show quoted text
In the interest of full public disclosure, the CFF Security Team would also like to share some additional information about this vulnerability that will aid in testing and remediation. Please let us know if you have any questions or concerns. Thanks, Molly Crowther Cloud Foundry Foundation Security Team Description of Vulnerability The vulnerability exposes an untested parameter that lets any application add arbitrary scopes (permissions) to an access token. curl https://login.urlredacted.com/oauth/token <https://login.run.pivotal.io/oauth/token> \ -H"Accept: Application/json" \ -u "cf:" \ -d "username=<username here>" \ -d "password=<password here>" \ -d "client_id=cf" \ -d "grant_type=password" \ -d "response_type=token" \ -d "external_scopes=cloud_controller.test" A vulnerable system will return the following response: { "access_token": "redacted for readability", "expires_in": 599, "jti": "redacted for readability", "refresh_token": "redacted for readability", "scope": "openid … cloud_controller.test", "token_type": "bearer" } cloud_controller.test is an arbitrary string, but may as well be cloud_controller.admin. Applications that perform off-line validation will happily accept the inserted string as a permission. Applications that use online validations, i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the UAA validates the permissions against what’s in the database (uaadb). A patched system will ignore the external_scopes parameter completely, and cloud_controller.test will not be returned in the response. On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <mcrowther(a)cloudfoundry.org
wrote: CVE-2016-6651: Privilege Escalation in UAA |
|
|
|
Mike Youngstrom <youngm@...>
Anyone know off hand if CC uses online or offline validation? If
toggle quoted message
Show quoted text
configurable what config would we look for to know if it is online or offline? Thanks, Mike On Mon, Sep 26, 2016 at 12:58 PM, Molly Crowther <mcrowther(a)cloudfoundry.org
wrote: Hello all, |
|
|
|
Timothy Hausler
Mike,
toggle quoted message
Show quoted text
CC uses offline validation so that it does not have to talk to the UAA for every request. Right now there is no way to configure CC to use online validation. Best, Tim On Mon, Sep 26, 2016 at 12:17 PM, Mike Youngstrom <youngm(a)gmail.com> wrote:
Anyone know off hand if CC uses online or offline validation? If |
|
|