Search

Penetration
Testing

AIT-SA-20240514-02

FIWARE Keyrock: Deactivate 2-factor-auth of any user

Identifier: AIT-SA-20240514-02
Target: FIWARE Keyrock
Vendor: FIWARE
Version: all versions including 8.4
CVE: CVE-2024-42164
Accessibility: Remote
Severity: Medium (4.3)
Author: Wolfgang Hotwagner (Austrian Institute of Technology)

SUMMARY

Insufficiently random values for generating password reset token in all versions of FIWARE Keyrock including 8.4 allow attackers to disable two factor authorization of any user by predicting the token for the disable_2fa link.

PROOF OF CONCEPT

The algorithm that is used to create the disable_2fa_key, is predictable. An attacker could predict the “random” numbers and disable the two factor authentication of any user:

It appears the endpoints to send the disable 2f and deactivate 2f functions are both unauthenticated:

An authenticated non-admin user can create multiple password-reset-token and predict multiple future random keys and use them to disable the 2factor-auth of any user.

For further information see “Manipulate passwords of any user”

VULNERABLE VERSIONS

All versions including 8.4 are affected.

TESTED VERSIONS

FIWARE Keyrock 8.4

IMPACT

An attacker could register a new user and use the password reset token to predict the random number. Using the predicted number the attacker might be able to disable the two factor authorization for any user.

MITIGATION

Currently (August 12th, 2024) there is no known mitigation.

VENDOR CONTACT TIMELINE

WOLFGANG HOTWAGNER

Research Engineer /
Security & Communication Technologies