Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-875x-g8p7-5w27

Опубликовано: 15 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.9
CVSS3: 5.3

Описание

The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

Summary

The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found.

Details

When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the allowedCredentials property in the assertion options response. This allows enumeration of valid or invalid usernames.

Proposal how to resolve it:

return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], "basic", new EmptyTrustPath(), Uuid::v7(), random_bytes(77), Uuid::v7()->__toString(), rand(0, 6000), null ); } return array_map( static fn (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor => $credential->getPublicKeyCredentialDescriptor(), $credentialSources ); }

PoC

curl https://example.com/assertion/options
-H 'content-type: application/json'
--data-raw '{"username":"NotMeRandomUsername123"}'

Impact

By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks.

Ссылки

Пакеты

Наименование

web-auth/webauthn-lib

composer
Затронутые версииВерсия исправления

>= 4.5.0, < 4.9.0

4.9.0

Наименование

web-auth/webauthn-framework

composer
Затронутые версииВерсия исправления

>= 4.5.0, < 4.9.0

4.9.0

EPSS

Процентиль: 45%
0.00228
Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-39912

Дефекты

CWE-204

Связанные уязвимости

nvd логотип

CVE-2024-39912

CVSS3: 5.3
nvd
больше 1 года назад

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks. This issue has been addressed in version 4.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

fstec логотип

BDU:2024-06319

CVSS3: 5.3
fstec
больше 1 года назад

Уязвимость метода ProfileBasedRequestOptionsBuilder библиотеки аутентификации в веб-приложениях webauthn-lib, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 45%
0.00228
Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-39912

Дефекты

CWE-204