Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-28680: One layer of security is lost when using devise_masquerade under certain circumstances in versions before 1.3 #83

Closed
ghost opened this issue Mar 23, 2021 · 2 comments
Closed

CVE-2021-28680: One layer of security is lost when using devise_masquerade under certain circumstances in versions before 1.3 #83

ghost opened this issue Mar 23, 2021 · 2 comments

Comments

@ghost
Copy link

ghost commented Mar 23, 2021

This is a security vulnerability that has been subject to a 90-day disclosure deadline and has been fixed in the v1.3.1 release of devise_masquerade. I'm creating this issue for traceability inside the GitHub project and to be able to refer to it from the CVE. Ideally a security advisory should be created.

If the secret_key_base variable is somehow leaked, an attacker can become any user by misusing the "masquerade back" functionality of this Devise extension, something that is not possible in plain Devise since the attacker must know the victim's password salt to form a valid session cookie to encrypt and sign using secret_key_base.

From the description of CVE-2021-28680:

The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown.
An application that uses this gem
to let administrators masquerade/impersonate users loses
one layer of security protection compared to a situation where Devise (without this
extension) is used. If the server-side secret_key_base value
became publicly known (for instance if it is committed to a public
repository by mistake), there are still other protections in
place that prevent an attacker from impersonating any user on the
site. When masquerading is not used in a plain Devise application, one
must know the password salt of the target user if one wants to encrypt
and sign a valid session cookie. When devise_masquerade is used,
however, an attacker can decide which user the "back" action will go
back to without knowing that user's password salt and simply knowing
the user ID, by manipulating the session cookie and pretending that a
user is already masqueraded by an administrator.

By adding and setting the dictionary key devise_masquerade_user to the user ID of the admin victim in the session cookie JSON/Marshal object, an attacker can fake that an impersonation has occurred and then use the "masquerade back" functionality to become the victim.
@ghost
Copy link
Author

ghost commented Mar 23, 2021

Fixed by pull request #76.

@ghost ghost closed this as completed Mar 23, 2021
@ghost
Copy link
Author

ghost commented Mar 23, 2021

Blog post with details: https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/

@oivoodoo oivoodoo mentioned this issue Sep 10, 2021
Closed
@oivoodoo oivoodoo mentioned this issue Sep 22, 2022
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants