GHSA-p3w6-jcg4-52xh
Vulnerability from github
Published
2019-07-02 15:43
Modified
2024-09-16 21:58
Severity ?
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Improper Verification of Cryptographic Signature in django-rest-registration
Details

Misusing the Django Signer API leads to predictable signatures used in verification emails

Impact

The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected. In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).

Patches

The problem has been patched in version 0.5.0. All library users should upgrade to version 0.5.0 or higher. The fix will invalidate all previously generated signatures , and in consequence, all verification links in previously sent verification e-mails. Therefore semi-major version 0.5.0 was released instead of version 0.4.6 to mark that incompatibility.

Workarounds

The easiest way way is to disable the verification options by using something like the minimal configuration described here. This will unfortunately disable checking whether the given e-mail is valid and make unable to users who registered an account but didn't verify it before config change.

Less harsh way is to temporarily disable just the the reset password functionality:

python REST_REGISTRATION = { # ... 'RESET_PASSWORD_VERIFICATION_ENABLED': False, # ... } Which should disallow the worst case, which is account takeover by an attacker. The attacker can still use the register-email endpoint to change the email to its own (but it is less critical than resetting the password in this case).

If one already set 'RESET_PASSWORD_VERIFICATION_ONE_TIME_USE' setting key to True in REST_REGISTRATION Django setting (which is not the default setting) then it should mitigate the security issue in case of password reset (in this case, the signature is much harder to guess by the attacker). But even in this case upgrade to newest version is highly recommended.

Technical description

After the code was refactored to use the official Signer class the salt was passed wrongly as secret key, replacing the SECRET_KEY set in Django settings file. This leads to the Django SECRET_KEY not being used by the signer object. The secret key of the signer ends to be the salt which in most cases is a static string which is publicly available.

In consequence this allows, with verification enabled, to guess the signature contained in the verification link (which is sent in a verification e-mail) by a potential attacker very easily.

The bug went unnoticed for very long time so multiple versions are affected: this bug affects versions 0.2.*, 0.3.*, 0.4.*; version 0.1.* is not affected.

Recently released version 0.5.0 contains the fix which correctly passes the salt to the Signer constructor as keyword argument instead as a positonal argument. It also contains additonal test so this problem should not reappear in the future.

Thanks

I'd like to thank @peterthomassen from https://desec.io DNS security project for finding the bug. I'd like also to thank his employer, SSE (https://www.securesystems.de) for funding his work.

For more information

If you have any questions or comments about this advisory: * Open an issue in GitHub issues project page * Email @apragacz, author of the library

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-rest-registration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-13177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:52Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Misusing the Django Signer API leads to predictable signatures used in verification emails\n\n### Impact\nThe vulnerability is a high severity one. Anyone using Django REST Registration library versions `0.2.*` - `0.4.*` with e-mail verification option (which is recommended, but needs [additional configuration](https://django-rest-registration.readthedocs.io/en/latest/quickstart.html#preferred-configuration)) is affected.\nIn the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).\n\n### Patches\nThe problem has been patched in version `0.5.0`. All library users should upgrade to version `0.5.0` or higher.\nThe fix will invalidate all previously generated signatures , and in consequence, all verification links in previously sent verification e-mails. Therefore semi-major version `0.5.0` was released instead of version `0.4.6` to mark that incompatibility.\n\n### Workarounds\nThe easiest way way is to disable the verification options by using something like the minimal configuration described [here](https://django-rest-registration.readthedocs.io/en/latest/quickstart.html#minimal-configuration). This will unfortunately disable checking whether the given e-mail is valid and make unable to users who registered an account but didn\u0027t verify it before config change.\n\nLess harsh way is to temporarily disable just the the reset password functionality:\n\n```python\nREST_REGISTRATION = {\n    # ...\n    \u0027RESET_PASSWORD_VERIFICATION_ENABLED\u0027: False,\n    # ...\n}\n```\nWhich should disallow the worst case, which is account takeover by an attacker. The attacker can still use the register-email endpoint to change the email to its own (but it is less critical than resetting the password in this case).\n\nIf one already set `\u0027RESET_PASSWORD_VERIFICATION_ONE_TIME_USE\u0027` setting key to `True` in `REST_REGISTRATION` Django setting (which is not the default setting) then it should mitigate the security issue in case of password reset (in this case, the signature is much harder to guess by the attacker). But even in this case upgrade to newest version is highly recommended.\n\n### Technical description\nAfter the code [was refactored](https://github.com/apragacz/django-rest-registration/commit/b6d921e9decc9bb36a4c6d58bc607471aa824a2e) to use the [official Signer class](https://docs.djangoproject.com/en/dev/topics/signing/) the salt\nwas passed wrongly as secret key, replacing the `SECRET_KEY` set in\nDjango settings file. This leads to the Django `SECRET_KEY` not being used by the signer object. The secret key of the signer ends to be the salt which in most cases is a static string which is publicly available.\n\nIn consequence this allows, with verification enabled, to guess\nthe signature contained in the verification link (which is sent in a verification e-mail) by a potential attacker very easily.\n\nThe bug went unnoticed for very long time so multiple versions are affected:\nthis bug affects versions `0.2.*`, `0.3.*`, `0.4.*`; version `0.1.*` is not affected.\n\nRecently released version `0.5.0` contains the [fix](https://github.com/apragacz/django-rest-registration/commit/26d094fab65ea8c2694fdfb6a3ab95a7808b62d5) which correctly passes the salt to the Signer constructor as keyword argument instead as a positonal argument. It also contains additonal test so this problem should not reappear in the future.\n\n### Thanks\nI\u0027d like to thank @peterthomassen from https://desec.io DNS security project for finding the bug. I\u0027d like also to thank his employer, SSE (https://www.securesystems.de) for funding his work.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub issues project page](https://github.com/apragacz/django-rest-registration/issues)\n* Email @apragacz, author of the library ",
  "id": "GHSA-p3w6-jcg4-52xh",
  "modified": "2024-09-16T21:58:34Z",
  "published": "2019-07-02T15:43:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/commit/26d094fab65ea8c2694fdfb6a3ab95a7808b62d5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apragacz/django-rest-registration"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-rest-registration/PYSEC-2019-20.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Verification of Cryptographic Signature in django-rest-registration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.