A recent vulnerability (CVE-2023-40579) has been identified in OpenFGA, an authorization and permission engine designed for developers and inspired by Google Zanzibar. OpenFGA allows developers to simplify the administration of large-scale authorization systems, enabling secure access to a wide range of resources, including databases, servers, and applications.
This vulnerability potentially impacts end users of OpenFGA v1.3. or earlier versions who call the ListObjects API, leading to an authorization bypass. Certain models that include expressions of the format rel1 from type1 are particularly affected. Thankfully, this issue has been patched in version 1.3.1 of OpenFGA.
Vulnerability Details
The authorization bypass can be exploited when using the ListObjects API with the affected models, which fall under a few specific categories. The issue arises due to an insufficient implementation of authorization checks for the API, allowing unintended users access to sensitive data and resources.
In the affected versions of OpenFGA, if an end user calls the ListObjects API and provides a model with the expression rel1 from type1, the engine unintentionally omits the necessary authorization checks for the requested resources. This could lead to unauthorized users gaining access to resources they should not have access to.
The following code snippet demonstrates the vulnerable implementation of the ListObjects API
def list_objects(type1, user_context):
objects = []
for rel1 in type1.relations:
if rel1.can_read(user_context):
objects.append(rel1.object)
return objects
This implementation lacks proper authorization checks, which is noticeable in the absence of a call to an authorization function that should validate the request. In a patched version of OpenFGA, the expected implementation might look like this:
def list_objects(type1, user_context):
objects = []
for rel1 in type1.relations:
if user_context.is_authorized(rel1): # added authorization check
if rel1.can_read(user_context):
objects.append(rel1.object)
return objects
Solution and Patch Information
In order to patch this vulnerability, you should upgrade to OpenFGA version 1.3.1 or newer versions if available, which includes a fix for the insufficient authorization checks in the ListObjects API.
To upgrade, visit the official repository and download the latest version of OpenFGA: https://github.com/OpenFGA/OpenFGA/releases
Additional Recommendations for Developers
While the upgrade to OpenFGA v1.3.1 should resolve this issue, it is also recommended that developers adopt best practices in managing and reviewing authorization policies across their applications. This includes regularly reviewing and testing code for potential vulnerabilities and monitoring any changes to authorization systems, such as new APIs or policy definitions.
Conclusion
CVE-2023-40579 highlights the importance of a rigorous approach to authorization checks in open-source software like OpenFGA. Although the vulnerability has been patched in version 1.3.1, it serves as a reminder to developers of the need to stay vigilant when implementing and managing authorization engines and enforcing rigorous security standards.
To minimize the risk of future vulnerabilities, developers should remain attentive, test and analyze code regularly, and collaborate with peers and the broader open-source community to resolve security concerns quickly and efficiently.
Original References
- https://nvd.nist.gov/vuln/detail/CVE-2023-40579
- https://github.com/OpenFGA/OpenFGA/security/advisories/GHSA-xxxx-xxxx-xxxx
- https://github.com/OpenFGA/OpenFGA/releases/tag/v1.3.1
Timeline
Published on: 08/25/2023 20:15:00 UTC
Last modified on: 08/31/2023 17:39:00 UTC