Disabling Account Multi Factor Authentication (MFA) Does Not Require Authenticator Token or Credentials in inventree/inventree

Valid

Reported on

Jun 16th 2022


Description

The application does not require a valid MFA authenticator token, user credentials, or other mechanism to disable MFA on an account.

Proof of Concept

1. In an account with MFA enabled, go to User Settings
2. Click on Remove multifactor
3. Select the response when the window pops up
4. Skip entering information into the Setup Two-Factor Authentication screen
5. Return to the Account Settings and note that the authentication type is no longer present
6. Logout
7. Login without MFA required

Note that this occurs when the user has enabled MFA, not an administrative action in the application.

Impact

MFA protections are in place to ensure that an attacker cannot access an authenticated portal without a second factor. If an attack can compromise a victim account through hardware or social engineering compromise, the attacker can simply click Remove multifactor. The issue can be compounded with the application's current poor password policy that does not require a current password validation in order to change account credentials.

We are processing your report and will contact the inventree team within 24 hours. 2 months ago
Joe Helle modified the report
2 months ago
Joe Helle modified the report
2 months ago
Oliver validated this vulnerability 2 months ago

@dievus thanks for reporting this. Certainly not best practice, so we will ensure a fix is made against this ASAP.

Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Helle
2 months ago

Researcher


Thanks!

Oliver
2 months ago

Maintainer


@dievus FYI this appears to be a known shortcoming of a third-party library - https://github.com/valohai/django-allauth-2fa/issues/30

Matthias Mair
2 months ago

Maintainer


Oliver provided a PR for them - we hope to resolve this in upstream. https://github.com/valohai/django-allauth-2fa/pull/135

Joe Helle
2 months ago

Researcher


Okie doke. Awesome to see you guys working to improve the library.

We have sent a fix follow up to the inventree team. We will try again in 7 days. a month ago
Matthias Mair
a month ago

Maintainer


Short update; we haven’t forgotten your report. We are currently waiting for upstream to accept our fix but have not gotten a response from their maintainers

Joe Helle
a month ago

Researcher


Thanks for the update, Matthias. No worries on the delay. I understand. If you need anything please let me know.

Matthias Mair
a month ago

Maintainer


I made a fix in our code base now. We will wait a few days after the release with marking this fixed to delay the report bots and give the users a realistic possibility to update.

Joe Helle
a month ago

Researcher


Totally understandable. I'll hold off on my end as well until you and your team are comfortable.

If you and @admin are ok with it, I would like to request a CVE for this finding based on the working severity we have, and the overall impact it could have.

Jamie Slome
a month ago

Admin


@matmair - happy to assign a CVE to this report if you are happy. Let me know 👍

We have sent a second fix follow up to the inventree team. We will try again in 10 days. a month ago
Oliver confirmed that a fix has been merged on f9aa5a a month ago
Oliver has been awarded the fix bounty
Oliver
a month ago

Maintainer


Have now marked this as fixed, after giving users some time to update. Thanks again for the report.

Matthias Mair
a month ago

Maintainer


@admin some function to delay releasing a disclosure after a fix would be nice. We fixed this a few days ago but waited so that all the Twitter bots do not blast the open problem out to the world. Some users got attacked/hacked with another vulnerability after the last disclosure hours after the release - before they could update. We could contain it but would be a nice feature.

Jamie Slome
a month ago

Admin


@Matthias - that is a great idea 👍 Could I invite you to create a feature request on our public roadmap:

https://github.com/418sec/huntr/issues/new

This will allow us to better track your request and keep you up-to-date on its progress.

Matthias Mair
a month ago

Maintainer


@joe helle upstream has now released a fixed version too. https://github.com/valohai/django-allauth-2fa/releases/tag/v0.10.0

Joe Helle
a month ago

Researcher


You guys rock. Great work!

to join this conversation