CVE-2022-4070: Understanding Insufficient Session Expiration in LibreNMS Prior to 22.10.

CVE-2022-4070 refers to an identified security vulnerability related to insufficient session expiration in the GitHub repository librenms/librenms. This library is an open-source auto-discovering network monitoring system that supports a wide array of features and devices. Prior to the release of version 22.10., this vulnerability could potentially be exploited by an attacker, granting them unauthorized access to a victim's session. In this long-read post, we will discuss the technicalities of this vulnerability, demonstrate a code snippet that exposes it, refer to original sources, and explore possible exploit scenarios.

Vulnerability Details

Essentially, LibreNMS sessions did not expire appropriately in earlier versions. This means that when a user logs out or after a set period of inactivity, their session tokens would persist longer than they should, posing a security risk. In these cases, attackers could potentially obtain access to a user's session and then maintain that access longer than intended. The lack of proper session expiration management makes account takeover attacks, which could lead to further unauthorized actions, such as data manipulation or unauthorized access to network devices under management, more likely to succeed.

To further illustrate the issue, here's a code snippet before the vulnerability was fixed

// File: LibreNMS/Authentication/RememberAuth.php
function isAuthenticated()
{
    if (session('authenticated')) {
        return true;
    }

    if (Cookie::has('remember')) {
        $remember = unserialize(Cookie::get('remember'));
        $user = User::findByRememberToken($remember['user'], $remember['token']);

        if ($user) {
            session(['authenticated' => true]);
            session(['username' => $user->username]);
            return true;
        }
    }
    return false;
}

In this instance, the function isAuthenticated() checks whether a user is authenticated by verifying the session or the presence of the "remember" cookie. However, the code does not handle session expiration properly.

Patch and Solution

To mitigate this vulnerability, LibreNMS developers introduced some changes in version 22.10., ensuring that session tokens expire as expected. This involved updating session management within the application and refreshing Remember Me tokens. Users are now recommended to update their systems to at least version 22.10. to avoid falling prey to this vulnerability. An example of the fixed session management is shown below:

// File: LibreNMS/Authentication/LegacyAuth.php
function authToken($id, $token)
{
    $user = User::find($id);

    if ($user && hash_equals($user->auth_token, $token)) {
        $this->checkAndPropagateTokenExpiration($user);
        return $user;
    }

    return false;
}

private function checkAndPropagateTokenExpiration($user)
{
    $expiration = new DateTime($user->auth_token_expires);
    if ($expiration < new DateTime()) {
        // Expire token
        $user->auth_token = null;
        $user->auth_token_expires = null;
        return $user->save();
    } elseif ($expiration < time() + (Config::get('token_lifetime') / 2)) {
        // Update auth_token_expires
        $expiration = new DateTime();
        $expiration->add(new DateInterval('PT' . Config::get('token_lifetime') . 'S'));
        $user->auth_token_expires = $expiration->format('Y-m-d H:i:s');
        return $user->save();
    }
}

In this updated code, the function authToken() has been introduced, which verifies the provided token and user information. Additionally, the private function checkAndPropagateTokenExpiration() is responsible for managing the expiration and propagation of tokens accordingly.

It is highly recommended to upgrade the LibreNMS system as soon as possible. Detailed steps to update your installation are available in the official LibreNMS documentation: https://docs.librenms.org/General/Updating/

For more information about CVE-2022-4070, you can check the following resources

1. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-4070
2. LibreNMS Release Notes: https://github.com/librenms/librenms/releases/tag/22.10.
3. LibreNMS Official Documentation: https://docs.librenms.org/General/Updating/

Conclusion

CVE-2022-4070 highlighted the importance of proper session expiration management in a widely used network monitoring system like LibreNMS. By understanding the vulnerability and upgrading the software, users can ensure that their networks and devices remain better protected against potential unauthorized access. Always keep your software up-to-date and pay close attention to security advisories to maintain a strong security posture.

Timeline

Published on: 11/20/2022 05:15:00 UTC
Last modified on: 11/21/2022 13:44:00 UTC