Security issue in experimental JWT authentication in v3.3
PBL-06-008 WP3: JWT key confusion leads to authentication bypass (High) (BETA)
Summary
As part of the audit of the mobile application, security researcher Johannes Moritz, from Cure53 team, while reviewing the JWT authentication procedure, found that the Passbolt API is prone to a key confusion attack.
- CVE: N/A.
- Product affected: API (Pro and CE).
- Version affected: v3.3.0
- Version fixed: v3.3.1
- Affected component: JWT Authentication plugin.
- Vulnerability Type: Authentication bypass.
- Severity: High (8.3).
Attack vector / exploitation
The attacker can change the algorithm field of the JWT header from RS256 to HS256 and misuse the RSA public key as HMAC secret key. With the knowledge of another user’s id, the attacker can issue arbitrary valid tokens and authenticate as other users.
Even though Passbolt only configures the RS256 algorithm, the custom configuration is merged with the default configuration by CakePHP. Therefore, both algorithms are supported.
Fix
V3.3.1 enforces the RS256 algorithm in the JWT header. It is being done by removing the HS256 algorithm from the JWTAuthenticator instance after initializing the object.
Severity
The severity of this issue is high. However it is not rated as critical as the plugin is disabled by default. Moreover an attacker must know the user id. Additionally the passwords inside passbolt are encrypted and therefore cannot be decrypted by the attacker.
If you are currently beta testing the mobile application on your production site you must patch as soon as possible or disable the JWT Authentication and Mobile plugins.
Follow up
We will publish a more complete report once the audit period is completed. Furthermore we reported the issue to CakePHP team to avoid accidental merge with JwtAuthenticator default configuration.
Event timeline
- 2021-11-24 10:30 CET: Vulnerability details sent by reporter.
- 2021-11-24 10:30 CET: We acknowledge the issue, start working on a fix
- 2021-11-24 12:50 CET: A fix is proposed to the reporter
- 2021-11-24 16:40 PM CET: We publish the fix as part of v3.3.1 release
- 2021-11-24 17:00 PM CET: We publish the release notes and this report.
Last updated
This article was last updated on November 24th, 2021.