Skip to content

tgstation-server cached user logins in legacy server

High severity GitHub Reviewed Published Jun 8, 2023 in tgstation/tgstation-server • Updated Jun 12, 2023

Package

nuget TGServiceInterface (NuGet)

Affected versions

>= 3.2.1.0, <= 3.2.4.0

Patched versions

3.2.5.0

Description

Please note this advisory is for a historical preexisting issue in the legacy server from 2018. It has long since been triaged. It is being moved here for visibility. The text below is copied from the original issue #690

You can login to the server with any username/password combination if someone else is logged in

An explanation of the bug: Back in 3.2.1.0, in order to accommodate running the Control Panel using Mono some hooks were added to the WCF communication layer. Detailed in this commit: tgstation/tgstation-server@2894ea0#diff-0ba090ea7073a3a304dfdbdfc512f733

The bug was in this line: tgstation/tgstation-server@2894ea0#diff-0ba090ea7073a3a304dfdbdfc512f733R48
authPolicy is passed in by the framework but the documentation for what the parameter is is virtually non-existent: https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.serviceauthenticationmanager.authenticate?view=netframework-4.7.2#System_ServiceModel_ServiceAuthenticationManager_Authenticate_System_Collections_ObjectModel_ReadOnlyCollection_System_IdentityModel_Policy_IAuthorizationPolicy__System_Uri_System_ServiceModel_Channels_Message__

Turns out it is a cache of what the previously returned policy was, as Floyd thankfully found out for us. The security patch fixes the issue by creating a new empty list as the return value when password authentication fails as opposed to using the authPolicy parameter.

If you're wondering why this line: tgstation/tgstation-server@2894ea0#diff-0ba090ea7073a3a304dfdbdfc512f733R42 didn't prevent the issue. It only invalidated the actual Windows login session, but in the eyes of the server the user was still valid since we just passed that closed handle as a return result. Had access to static files been attempted with a bad login, the request would end up erroring due to trying to impersonate using a closed user token handle.

This has been fixed in 1812a9c6793c8516c138a105ccfb2108164f0eff and versions 3.2.5.0+

References

@Cyberboss Cyberboss published to tgstation/tgstation-server Jun 8, 2023
Published to the GitHub Advisory Database Jun 12, 2023
Reviewed Jun 12, 2023
Last updated Jun 12, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS score

0.205%
(59th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2018-17107

GHSA ID

GHSA-42r6-p4px-qvv6

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.