Impact
The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:
<sec:remember-me key="opencast" user-service-ref="userDetailsService" />
This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.
Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.
Patches
This problem is fixed in Opencast 7.6 and Opencast 8.1
Workarounds
We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:
<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />
References
For more information
If you have any questions or comments about this advisory:
Thanks
Thanks to @LukasKalbertodt for reporting the issue.
References
LukasKalbertodt Analyst
Impact
The security configuration in
etc/security/mh_default_org.xmlenables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.
Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.
Patches
This problem is fixed in Opencast 7.6 and Opencast 8.1
Workarounds
We strongly recommend updating to the patched version. Still, as a workaround for older versions, in
etc/security/mh_default_org.xml, set a custom key for each server:References
For more information
If you have any questions or comments about this advisory:
Thanks
Thanks to @LukasKalbertodt for reporting the issue.
References