CVE-2024-10318: Session Fixation Vulnerability in NGINX OpenID Connect Reference Implementation

A session fixation vulnerability (CVE-2024-10318) was recently discovered in the NGINX OpenID Connect reference implementation. This issue arises because the implementation fails to check the nonce value when a user logs in, allowing an attacker to fix the victim's session to an attacker-controlled account. While this does not allow the attacker to log in as the victim, it exposes the possibility of misusing the victim's session. In this post, we will explore the details of the vulnerability and how it can be exploited, along with discussing potential ways to mitigate the risk associated with it.

Vulnerability Details

The NGINX OpenID Connect reference implementation is intended to provide an example of how to integrate OpenID Connect authentication within the NGINX environment. However, a critical flaw was identified in the implementation where it does not properly verify the nonce value when a user logs in. The nonce is meant to serve as a random string used to differentiate requests and deter replay attacks, but the lack of validation allows for session fixation attacks.

Here is an example of the affected code snippet

// NGINX OpenID Connect Reference Implementation
// File: auth_openidc.c

...

req->auth_nonce = get_auth_nonce();

if(req->auth_nonce == NULL || !validate_auth_nonce(req)){
    return NGX_DECLINED;
}

The above snippet attempts to get the authentication nonce and validate it. However, the implementation does not actually include a proper validate_auth_nonce function that checks the nonce value during the login process. This leaves the nonce unchecked and thus results in the vulnerability.

Generate a new OpenID Connect request with a valid nonce

2. Create an attacker-controlled account within the same OpenID Connect Identity Provider (IdP) being targeted
3. Fix the victim's session to the attacker's account by replacing the victim's nonce value with the attacker's nonce in the OpenID Connect request

Have the victim log in using the OpenID Connect authentication flow

5. The victim's session will then be associated with the attacker's account, giving the attacker potential control over the victim's session

Original References

The issue was first reported in the following sources:

- NGINX OpenID Connect Reference Implementation: (https://github.com/zmartzone/mod_auth_openidc)
- CVE Details: (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10318)
- Common Vulnerability Reporting Framework (CVRF): (https://www.icasi.org/cvrf/)

To protect against this vulnerability, developers are advised to adopt the following steps

1. Implement proper nonce validation within the NGINX OpenID Connect reference implementation to ensure the secure handling of user sessions.
2. Regularly update the software to incorporate the latest security patches, as developers often release fixes for vulnerabilities like CVE-2024-10318.

By following these steps, developers and system administrators can help secure their systems against session fixation attacks and ensure the user's accounts and sessions remain protected.

Timeline

Published on: 11/06/2024 17:15:13 UTC
Last modified on: 11/08/2024 19:51:49 UTC