[SECURITY] Security advisory for CVE-2021-3882 (non-Secure session cookie)

12 Oct 2021

On September 16th, the LedgerSMB project was advised of a security
vulnerability
in the code. Please see below our security advisory.
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Summary:
========
LedgerSMB does not set the 'Secure' attribute on the session authorization
  cookie when the client uses HTTPS and the LedgerSMB server is behind a
  reverse proxy.  By tricking a user to use an unencrypted connection
(HTTP),
  an attacker may be able to obtain the authentication data by capturing
  network traffic.
Known vulnerable:
=================
All of:
- 1.8.0 upto 1.8.21 (including)
Known fixed:
============
- 1.8.22
Details:
========
LedgerSMB 1.8 and newer switched from Basic authentication to using cookie
  authentication with encrypted cookies.  Although an attacker can't access
  the information inside the cookie, nor the password of the user,
possession
  of the cookie is enough to access the application as the user from which
the
  cookie has been obtained.
In order for the attacker to obtain the cookie, first of all the server
  must be configured to respond to unencrypted requests, the attacker must
be
  suitably positioned to eavesdrop on the network traffic between the client
  and the server *and* the user must be tricked into using unencrypted HTTP
  traffic.
Proper audit control and separation of duties limit Integrity impact of
  the attack vector.
Severity:
=========
CVSSv3.1 Base Score: 5.9 (Medium)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations:
================
Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users
  of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't
need
  to take action.
As a workaround, users may configure their Apache or Nginx reverse proxy
  to add the Secure attribute at the network boundary instead of relying on
  LedgerSMB.
For Apache, please refer to the 'Header always edit' configuration command
  in the mod_headers module.
  For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
References:
===========
CVE-2021-3882  (LedgerSMB)
https://ledgersmb.org/cve-2021-3882-sensitive-non-secure-cookie
https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/
Reported by:
============
0xdhinu, user of the huntr.dev platform
Patches:
========
index 8dbcacddd..063e44415 100644

--- a/lib/LedgerSMB/Middleware/AuthenticateSession.pm
+++ b/lib/LedgerSMB/Middleware/AuthenticateSession.pm
@@ -209,7 +209,7 @@ sub call {
     $dbh->rollback;
     $dbh->disconnect;
-    my $secure = ($env->{SERVER_PROTOCOL} eq 'https') ? '; Secure' : '';
+    my $secure = ($env->{HTTPS} eq 'ON') ? '; Secure' : '';
     my $path = LedgerSMB::PSGI::Util::cookie_path($env->{SCRIPT_NAME});
     return Plack::Util::response_cb(
         $res, sub {
-- 
Bye,

Erik.

http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.



    

Erik Huelsmann

tags (0)

participants (1)