Disabling Account Multi Factor Authentication (MFA) Does Not Require Authenticator Token or Credentials in inventree/inventree
Reported on
Jun 16th 2022
Description
The application does not require a valid MFA authenticator token, user credentials, or other mechanism to disable MFA on an account.
Proof of Concept
1. In an account with MFA enabled, go to User Settings
2. Click on Remove multifactor
3. Select the response when the window pops up
4. Skip entering information into the Setup Two-Factor Authentication screen
5. Return to the Account Settings and note that the authentication type is no longer present
6. Logout
7. Login without MFA required
Note that this occurs when the user has enabled MFA, not an administrative action in the application.
Impact
MFA protections are in place to ensure that an attacker cannot access an authenticated portal without a second factor. If an attack can compromise a victim account through hardware or social engineering compromise, the attacker can simply click Remove multifactor. The issue can be compounded with the application's current poor password policy that does not require a current password validation in order to change account credentials.
@dievus FYI this appears to be a known shortcoming of a third-party library - https://github.com/valohai/django-allauth-2fa/issues/30
Oliver provided a PR for them - we hope to resolve this in upstream. https://github.com/valohai/django-allauth-2fa/pull/135
Okie doke. Awesome to see you guys working to improve the library.
Short update; we havenβt forgotten your report. We are currently waiting for upstream to accept our fix but have not gotten a response from their maintainers
Thanks for the update, Matthias. No worries on the delay. I understand. If you need anything please let me know.
I made a fix in our code base now. We will wait a few days after the release with marking this fixed to delay the report bots and give the users a realistic possibility to update.
Totally understandable. I'll hold off on my end as well until you and your team are comfortable.
If you and @admin are ok with it, I would like to request a CVE for this finding based on the working severity we have, and the overall impact it could have.
@matmair - happy to assign a CVE to this report if you are happy. Let me know π
Have now marked this as fixed, after giving users some time to update. Thanks again for the report.
@admin some function to delay releasing a disclosure after a fix would be nice. We fixed this a few days ago but waited so that all the Twitter bots do not blast the open problem out to the world. Some users got attacked/hacked with another vulnerability after the last disclosure hours after the release - before they could update. We could contain it but would be a nice feature.
@Matthias - that is a great idea π Could I invite you to create a feature request on our public roadmap:
https://github.com/418sec/huntr/issues/new
This will allow us to better track your request and keep you up-to-date on its progress.
@joe helle upstream has now released a fixed version too. https://github.com/valohai/django-allauth-2fa/releases/tag/v0.10.0