Failure to invalidate session after password change in bigbluebutton/greenlight

Valid

Reported on

Jun 29th 2022


Description

The application does not invalidate session after the password is changed which can enable attacker to continue using the compromised session.

Proof of Concept

1)Login to the same accounts in two different browsers (https://demo.bigbluebutton.org/gl)
2)Change password in the 1st browser and you will see that the 2nd browser still validate the session after password change (even after refresh the page). You can do anything with the 2nd browser which use the old password.

Impact

Logging in with the new password doesn't invalidate the older session either: I could browse BigBlueButton using two sessions (in two different browsers) which were initiated using two different passwords.

Suggested Fix:

When the password is reset, force logout the user and redirect to login page with a message.

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. 3 months ago
KhanhCM modified the report
3 months ago
We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back 3 months ago
We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 2 months ago
Ahmad Farhat modified the Severity from Critical (9.1) to Medium (6.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Ahmad Farhat validated this vulnerability 2 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the bigbluebutton/greenlight team. This report is now considered stale. 2 months ago
KhanhCM
a month ago

Researcher


Hi @admin and @maintainer,

I see that in the latest release of Greenlight project, it mentioned a change:

CVE-2022-36029 - Severity: High Sessions are now expired if the password is changed (either through forget password or profile)

It's the same with what I reported here as well as the severity of that vulnerability in the CVE is High, while the maintainer marked it as Medium in my report.

So can you review my report, is it necessary to change the severity of this report from Medium to High as well as linked it with the CVE-2022-36029?

Many thanks!

KhanhCM
a month ago

Researcher


You can check the latest release (which is 2.13.0) here: https://github.com/bigbluebutton/greenlight/releases/tag/release-2.13.0

Jamie Slome
a month ago

Admin


I have dropped a message on the GitHub Issue created for this report. You can see it here.

Ahmad Farhat confirmed that a fix has been merged on e22d04 a month ago
The fix bounty has been dropped
Ahmad Farhat
a month ago

@admin The severity can be increased to HIGH for this CVE - @KhanhCM thanks for the report!

KhanhCM
a month ago

Researcher


Hi @admin, can you change the severity of this report to HIGH as the maintainer metioned above?
And will I receive the disclosure bounty for this with that high severity?

Many thanks!

Jamie Slome
a month ago

Admin


Happy to adjust this report severity to HIGH. Can you please provide the CVSS vector string for me to use?

@maintainer 👆

KhanhCM
a month ago

Researcher


Hi @admin, @maintainer,

I suggest that the CVSS vector string should be CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, which the severity is HIGH (7.3).

Can you confirm whether it is properly or it need to be modified more correct, @maintainer?

Many thanks!

to join this conversation