CWE
613 285
Advisory Published
Updated

CVE-2021-41100: Account takeover when having only access to a user's short lived token in wire-server

First published: Mon Oct 04 2021(Updated: )

Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Wire Wire-server<2021-08-16

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2021-41100?

    The severity of CVE-2021-41100 is critical.

  • What is the affected software of CVE-2021-41100?

    The affected software of CVE-2021-41100 is Wire-server.

  • How can CVE-2021-41100 be exploited?

    CVE-2021-41100 can be exploited by using the short-lived session token in the `Authorization` header to trigger an email address change of a user.

  • Is there a fix available for CVE-2021-41100?

    Yes, a fix is available for CVE-2021-41100. It is recommended to update to a version released after August 16, 2021.

  • Where can I find more information about CVE-2021-41100?

    More information about CVE-2021-41100 can be found at this link: [https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m](https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203