Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13YzQzLTczdzcteDJmNc4AA_zB

Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials

Preconditions

Example server configuration

Below you will find an vulnerable example configuration. Keep in mind that, for the account to be vulnerable, the account must have no first factor except the code method enabled plus a second factor.

selfservice:
  methods:
    code:
      # The `code` login method is enabled with the `passwordless_enabled` flag set to `true`
      passwordless_enabled: true
    totp:
      # 2FA method such as `totp` is enabled
      enabled: true
  flows:
    settings:
      # This is set
      required_aal: highest_available
session:
  whoami:
    # Or this
    required_aal: highest_available

Impact

Given the preconditions, the highest_available setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that the highest_available configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a aal2 session, even though that should be disallowed.

An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect available_aal value stored, to exploit this vulnerability.

All other aspects of the session (e.g. the session’s aal) are not impacted by this issue.

On Ory Network, only 0,00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack.

Patches

Version 1.3.0 is not affected by this issue.

Workarounds

If you require 2FA please disable the passwordless code login method. If that is not possible, check the sessions aal to identify if the user has aal1 or aal2.

Permalink: https://github.com/advisories/GHSA-wc43-73w7-x2f5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13YzQzLTczdzcteDJmNc4AA_zB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago


CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-wc43-73w7-x2f5, CVE-2024-45042
References: Repository: https://github.com/ory/kratos
Blast Radius: 4.2

Affected Packages

go:github.com/ory/kratos
Dependent packages: 23
Dependent repositories: 9
Downloads:
Affected Version Ranges: <= 1.2.0
Fixed in: 1.3.0
All affected versions: 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.13.0, 1.0.0, 1.1.0, 1.2.0
All unaffected versions: 1.3.0, 1.3.1