SB2021072603 - Multiple vulnerabilities in mod_auth_openidc
Published: July 26, 2021 Updated: August 18, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2021-32792)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the "OIDCPreservePost On". A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Format string error (CVE-ID: CVE-2021-32785)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a format string error as mod_auth_openidc wrongly performs argument interpolation before passing Redis requests to `hiredis. A remote attacker can supply a specially crafted input that contains format string specifiers and perform a denial of service (DoS) attack.
3) Use of insufficiently random values (CVE-ID: CVE-2021-32791)
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to the AES GCM encryption in mod_auth_openidc uses a static IV and AAD, which creates a static nonce. Since aes-gcm is a stream cipher, this can lead to known cryptographic issues as the same key is being reused.
4) Open redirect (CVE-ID: CVE-2021-32786)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in oidc_validate_redirect_url() function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Remediation
Install update from vendor's website.
References
- https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
- https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-55r8-6w97-xxr4
- https://github.com/zmartzone/mod_auth_openidc/commit/dc672688dc1f2db7df8ad4abebc367116017a449
- https://security.netapp.com/advisory/ntap-20210902-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html
- https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r
- https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/
- https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/
- https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544
- https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7