We discovered a non-exploitable multi-factor authentication weakness in Open Forms.
Impact
Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. We do not believe it is or has been possible to perform this login.
However, if this were possible, their account may have been abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data.
We do not believe this is/was actually exploitable due to three factors playing in our advantage:
- the usual login page (at
/admin/login/) does not fully log in the user until the second factor was succesfully provided
- the additional non-MFA protected login page at
/api/v2/api-authlogin/ was misconfigured and could not be used to log in
- there are no additional ways to log in
This also requires credentials of a superuser to be compromised to be exploitable.
Patches
We have applied the following patches to address these weaknesses to all supported versions of Open Forms:
- Move and only enable the API auth endpoints (
/api/v2/api-auth/login/) with settings.DEBUG = True. settings.DEBUG = True is insecure and should never be applied in production settings.
- Apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking.
The patched versions are:
- master branch
- 2.5.2
- 2.4.5
- 2.3.7
- 2.2.9
Older versions are end of life and do not receive (security) updates anymore.
Workarounds
- Only superusers are allowed to hijack, so not having any superusers mitigates the problem
- Only allowing access to
/admin/ prefixed URLs to trusted IP addresses can make your attack surface a lot smaller
- Reset passwords of staff users to a strong, unique password
Additional notes
- Every hijack action is logged in the audit logs - please check these for irregular activity
- Every time a staff users views submission data, this is logged in the audit logs. These log records are still present if the submission itself has since been pruned. Check them for irregular activity.
sergei-maertens Finder
We discovered a non-exploitable multi-factor authentication weakness in Open Forms.
Impact
Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. We do not believe it is or has been possible to perform this login.
However, if this were possible, their account may have been abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data.
We do not believe this is/was actually exploitable due to three factors playing in our advantage:
/admin/login/) does not fully log in the user until the second factor was succesfully provided/api/v2/api-authlogin/was misconfigured and could not be used to log inThis also requires credentials of a superuser to be compromised to be exploitable.
Patches
We have applied the following patches to address these weaknesses to all supported versions of Open Forms:
/api/v2/api-auth/login/) withsettings.DEBUG = True.settings.DEBUG = Trueis insecure and should never be applied in production settings.The patched versions are:
Older versions are end of life and do not receive (security) updates anymore.
Workarounds
/admin/prefixed URLs to trusted IP addresses can make your attack surface a lot smallerAdditional notes