PBL-06-008 WP3: JWT key confusion leads to authentication bypass (High) (BETA)
As part of the audit of the mobile application, security researcher Johannes Moritz, from Cure53 team, while reviewing the JWT authentication procedure, found that the Passbolt API is prone to a key confusion attack.
Attack vector / exploitation
The attacker can change the algorithm field of the JWT header from RS256 to HS256 and misuse the RSA public key as HMAC secret key. With the knowledge of another user's id, the attacker can issue arbitrary valid tokens and authenticate as other users.
Even though Passbolt only configures the RS256 algorithm, the custom configuration is merged with the default configuration by CakePHP. Therefore, both algorithms are supported.
V3.3.1 enforces the RS256 algorithm in the JWT header. It is being done by removing the HS256 algorithm from the JWTAuthenticator instance after initializing the object.
The severity of this issue is high. However it is not rated as critical as the plugin is disabled by default. Moreover an attacker must know the user id. Additionally the passwords inside passbolt are encrypted and therefore cannot be decrypted by the attacker.
If you are currently beta testing the mobile application on your production site you must patch as soon as possible or disable the JWT Authentication and Mobile plugins.
We will publish a more complete report once the audit period is completed. Furthermore we reported the issue to CakePHP team to avoid accidental merge with JwtAuthenticator default configuration.
- 2021-11-24 10:30 CET: Vulnerability details sent by reporter.
- 2021-11-24 10:30 CET: We acknowledge the issue, start working on a fix
- 2021-11-24 12:50 CET: A fix is proposed to the reporter
- 2021-11-24 16:40 PM CET: We publish the fix as part of v3.3.1 release
- 2021-11-24 17:00 PM CET: We publish the release notes and this report.