SecureAuth security advisory – Machine Key Randomization
Last Updated: February 15, 2021
Summary
The Machine Keys used by the Administrative interface and API were not randomized between multiple installations, resulting in potentially unauthorized access to other Identity Platforms.
Criticality
CVSS3 Score | 9.0 |
|---|---|
Criticality | HIGH |
Vector String | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Description
Machine Keys are utilized by the Identity Platform (IdP) to create unique session cookies and API tokens.
When an IdP is initially set up, the system needs to communicate with the backend cloud services to register the license key and perform other installation registrations. This requires a common set of Machine Keys in order to register with the cloud services. After the initial registration, the IdP should generate new Machine Keys to ensure uniqueness from other IdP installations. This regeneration of the Machine Keys was not automatically performed for the administrative realm and for API tokens.
The Machine Keys are also utilized in the creation of authentication session cookies. If the Machine Keys from one installation are the same as the Machine Keys for a second IdP installation, it is possible to modify the scope of the session cookie to be valid between different IdP installations.
Impact
Unauthorized access to the administrative interface (SecureAuth0) which could allow an attacker to create new realms, modify multi-factor authentication requirements, etc.
Affected Products
All Identity Platform (IdP) versions 8.x and greater (8.x, 9.x, 19.07, and 20.06)
Workaround and Solution
Workaround
Customers can regenerate the Machine Keys manually.
Log on to SecureAuth0.
For versions 9.3 or later that use the New Experience, go to the top right corner of the UI and from the Admin list, select Go to Classic Experience.
Select the Admin Realm tab.
Choose the SecureAuth0 realm and select the Post Authentication tab.
In the Forms Auth/SSO Token section, click the View and Configure FormsAuth keys/SSO token link.
In the Machine Key section, click Generate New Keys.
Solution
Implement Hot Fix Executable Version 1.2.0.4, please contact Customer Support for download link.
References
Vulnerability References
CVSS3 Scoring Calculator: https://www.first.org/cvss/calculator/3.1
CVSS3 Guide: https://www.first.org/cvss/v3.1/user-guide
SecureAuth Product Security Public Polices
See Hotfixes or Resolved Issues for your product release.
Customer Support Portal: https://support.secureauth.com/
About the SecureAuth Support Portal
Acknowledgement and Credit
This vulnerability was internally discovered and is not known to be in the wild.
Version | Date | Author | Comments |
|---|---|---|---|
1.0 | February 15, 2021 | SecureAuth Security Team | Initial Draft |