Failure to invalidate session after password change in bigbluebutton/greenlight

Valid

Reported on

Jun 29th 2022

Description

The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session.

Proof of Concept

1)Login to the same accounts in two different browsers (https://demo.bigbluebutton.org/gl)
2)Change password in the 1st browser and you will see that the 2nd browser still validate the session after password change (even after refresh the page). You can do anything with the 2nd browser which use the old password.

Impact

Logging in with the new password doesn't invalidate the older session either: I could browse BigBlueButton using two sessions (in two different browsers) which were initiated using two different passwords.

Suggested Fix:

When the password is reset, force logout the user and redirect to login page with a message.

Occurrences

users_controller_spec.rb L446-L485

users_controller.rb L117-L133

References

Quote from OWASP: Renew the Session ID After Any Privilege Level Change The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session.. Other common scenarios must also be considered, such as password changes

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. a year ago

KhanhCM modified the report

a year ago

We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back a year ago

We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a year ago

We have sent a second follow up to the bigbluebutton/greenlight team. We will try again in 10 days. a year ago

Ahmad Farhat modified the Severity from Critical (9.1) to Medium (6.3) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Ahmad Farhat validated this vulnerability a year ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the bigbluebutton/greenlight team. This report is now considered stale. a year ago

KhanhCM

commented a year ago

Researcher

Hi @admin and @maintainer,

I see that in the latest release of Greenlight project, it mentioned a change:

CVE-2022-36029 - Severity: High Sessions are now expired if the password is changed (either through forget password or profile)

It's the same with what I reported here as well as the severity of that vulnerability in the CVE is High, while the maintainer marked it as Medium in my report.

So can you review my report, is it necessary to change the severity of this report from Medium to High as well as linked it with the CVE-2022-36029?

Many thanks!

KhanhCM

commented a year ago

Researcher

You can check the latest release (which is 2.13.0) here: https://github.com/bigbluebutton/greenlight/releases/tag/release-2.13.0

Jamie Slome

commented a year ago

Admin

I have dropped a message on the GitHub Issue created for this report. You can see it here.

Ahmad Farhat marked this as fixed in 2.13.0 with commit e22d04 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

users_controller.rb#L117-L133 has been validated

users_controller_spec.rb#L446-L485 has been validated

Ahmad Farhat

commented a year ago

Maintainer

@admin The severity can be increased to HIGH for this CVE - @KhanhCM thanks for the report!

KhanhCM

commented a year ago

Researcher

Hi @admin, can you change the severity of this report to HIGH as the maintainer metioned above?
And will I receive the disclosure bounty for this with that high severity?

Many thanks!

Jamie Slome

commented a year ago

Admin

Happy to adjust this report severity to HIGH. Can you please provide the CVSS vector string for me to use?

@maintainer 👆

KhanhCM

commented a year ago

Researcher

Hi @admin, @maintainer,

I suggest that the CVSS vector string should be CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, which the severity is HIGH (7.3).

Can you confirm whether it is properly or it need to be modified more correct, @maintainer?

Many thanks!

to join this conversation

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. a year ago

KhanhCM modified the report

a year ago

We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back a year ago

We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a year ago

We have sent a second follow up to the bigbluebutton/greenlight team. We will try again in 10 days. a year ago

Ahmad Farhat modified the Severity from Critical (9.1) to Medium (6.3) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Ahmad Farhat validated this vulnerability a year ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the bigbluebutton/greenlight team. This report is now considered stale. a year ago

KhanhCM

commented a year ago

Researcher

Hi @admin and @maintainer,

I see that in the latest release of Greenlight project, it mentioned a change:

CVE-2022-36029 - Severity: High Sessions are now expired if the password is changed (either through forget password or profile)

It's the same with what I reported here as well as the severity of that vulnerability in the CVE is High, while the maintainer marked it as Medium in my report.

So can you review my report, is it necessary to change the severity of this report from Medium to High as well as linked it with the CVE-2022-36029?

Many thanks!

KhanhCM

commented a year ago

Researcher

You can check the latest release (which is 2.13.0) here: https://github.com/bigbluebutton/greenlight/releases/tag/release-2.13.0

Jamie Slome

commented a year ago

Admin

I have dropped a message on the GitHub Issue created for this report. You can see it here.

Ahmad Farhat marked this as fixed in 2.13.0 with commit e22d04 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

users_controller.rb#L117-L133 has been validated

users_controller_spec.rb#L446-L485 has been validated

Ahmad Farhat

commented a year ago

Maintainer

@admin The severity can be increased to HIGH for this CVE - @KhanhCM thanks for the report!

KhanhCM

commented a year ago

Researcher

Hi @admin, can you change the severity of this report to HIGH as the maintainer metioned above?
And will I receive the disclosure bounty for this with that high severity?

Many thanks!

Jamie Slome

commented a year ago

Admin

Happy to adjust this report severity to HIGH. Can you please provide the CVSS vector string for me to use?

@maintainer 👆

KhanhCM

commented a year ago

Researcher

Hi @admin, @maintainer,

I suggest that the CVSS vector string should be CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, which the severity is HIGH (7.3).

Can you confirm whether it is properly or it need to be modified more correct, @maintainer?

Many thanks!

to join this conversation