Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04NzV4LWc4cDctNXcyN84AA95Y

The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

Summary

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.

Details

When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the allowedCredentials property in the assertion options response. This allows enumeration of valid or invalid usernames.

Proposal how to resolve it:

return $this->publicKeyCredentialRequestOptionsFactory->create(
            $this->profile,
            count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials,
            $optionsRequest->userVerification,
            $extensions
);

private static function getRandomCredentials(): array
{
        $credentialSources = [];
        for ($i = 0; $i <= rand(0,1); $i++) {
            $credentialSources[] = new PublicKeyCredentialSource(
                random_bytes(32),
                "public-key",
                [],
                "basic",
                new EmptyTrustPath(),
                Uuid::v7(),
                random_bytes(77),
                Uuid::v7()->__toString(),
                rand(0, 6000),
                null
            );
        }
        return array_map(
            static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(),
            $credentialSources
        );
}

PoC

curl https://example.com/assertion/options
-H 'content-type: application/json'
--data-raw '{"username":"NotMeRandomUsername123"}'

Impact

By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.

Permalink: https://github.com/advisories/GHSA-875x-g8p7-5w27
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzV4LWc4cDctNXcyN84AA95Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-875x-g8p7-5w27, CVE-2024-39912
References:

• https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-875x-g8p7-5w27
• https://github.com/web-auth/webauthn-framework/commit/a9d1352897fba552e659e1445a771dec2d4ed05a
• https://github.com/web-auth/webauthn-lib/commit/b6798de27cdedd8681fe4c9b13ace0ff2456d18b
• https://nvd.nist.gov/vuln/detail/CVE-2024-39912
• https://github.com/web-auth/webauthn-framework/commit/64de11f6cddc71e56c76e0cc4573bf94d02be045
• https://github.com/advisories/GHSA-875x-g8p7-5w27

Repository: https://github.com/web-auth/webauthn-framework
Blast Radius: 12.7

Affected Packages