Skip to content

Potential multi-factor authentication bypass

Low
sergei-maertens published GHSA-64r3-x3gf-vp63 Feb 6, 2024

Package

open-forms (open-formulieren)

Affected versions

< 2.2.8, 2.3.6, 2.4.4, 2.5.1

Patched versions

2.2.9, 2.3.7, 2.4.5, 2.5.2

Description

We discovered a non-exploitable multi-factor authentication weakness in Open Forms.

Impact

Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. We do not believe it is or has been possible to perform this login.

However, if this were possible, their account may have been abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data.

We do not believe this is/was actually exploitable due to three factors playing in our advantage:

  • the usual login page (at /admin/login/) does not fully log in the user until the second factor was succesfully provided
  • the additional non-MFA protected login page at /api/v2/api-authlogin/ was misconfigured and could not be used to log in
  • there are no additional ways to log in

This also requires credentials of a superuser to be compromised to be exploitable.

Patches

We have applied the following patches to address these weaknesses to all supported versions of Open Forms:

  • Move and only enable the API auth endpoints (/api/v2/api-auth/login/) with settings.DEBUG = True. settings.DEBUG = True is insecure and should never be applied in production settings.
  • Apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking.

The patched versions are:

  • master branch
  • 2.5.2
  • 2.4.5
  • 2.3.7
  • 2.2.9

Older versions are end of life and do not receive (security) updates anymore.

Workarounds

  • Only superusers are allowed to hijack, so not having any superusers mitigates the problem
  • Only allowing access to /admin/ prefixed URLs to trusted IP addresses can make your attack surface a lot smaller
  • Reset passwords of staff users to a strong, unique password

Additional notes

  • Every hijack action is logged in the audit logs - please check these for irregular activity
  • Every time a staff users views submission data, this is logged in the audit logs. These log records are still present if the submission itself has since been pruned. Check them for irregular activity.

Severity

Low

CVE ID

CVE-2024-24771

Credits