SecureAuth security advisory – Machine Key Randomization

Last Updated: February 15, 2021

Summary

The Machine Keys used by the Administrative interface and API were not randomized between multiple installations, resulting in potentially unauthorized access to other Identity Platforms.

Criticality

CVSS3 Score

9.0

Criticality

HIGH

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Machine Keys are utilized by the Identity Platform (IdP) to create unique session cookies and API tokens.

When an IdP is initially set up, the system needs to communicate with the backend cloud services to register the license key and perform other installation registrations. This requires a common set of Machine Keys in order to register with the cloud services. After the initial registration, the IdP should generate new Machine Keys to ensure uniqueness from other IdP installations. This regeneration of the Machine Keys was not automatically performed for the administrative realm and for API tokens.

The Machine Keys are also utilized in the creation of authentication session cookies. If the Machine Keys from one installation are the same as the Machine Keys for a second IdP installation, it is possible to modify the scope of the session cookie to be valid between different IdP installations.

Impact

Unauthorized access to the administrative interface (SecureAuth0) which could allow an attacker to create new realms, modify multi-factor authentication requirements, etc.

Affected Products

All Identity Platform (IdP) versions 8.x and greater (8.x, 9.x, 19.07, and 20.06)

Workaround and Solution

Workaround

Customers can regenerate the Machine Keys manually.

  1. Log on to SecureAuth0.

  2. For versions 9.3 or later that use the New Experience, go to the top right corner of the UI and from the Admin list, select Go to Classic Experience.

    70489785.png
  3. Select the Admin Realm tab.

  4. Choose the SecureAuth0 realm and select the Post Authentication tab.

    70489786.png
  5. In the Forms Auth/SSO Token section, click the View and Configure FormsAuth keys/SSO token link.

    70489787.png
  6. In the Machine Key section, click Generate New Keys.

    70489788.png

Solution

Implement Hot Fix Executable Version 1.2.0.4, please contact Customer Support for download link.

References

Vulnerability References

SecureAuth Product Security Public Polices

Acknowledgement and Credit

This vulnerability was internally discovered and is not known to be in the wild.

Version

Date

Author

Comments

1.0

February 15, 2021

SecureAuth Security Team

Initial Draft