vantage6 is an open-source infrastructure designed to enable privacy-preserving analysis, allowing data scientists and researchers to perform collaborative analysis without having to share sensitive data. However, until version 4.5.rc3, there existed a security vulnerability within the system that could grant unauthorized access to collaboration task results. This post will provide an in-depth analysis of the issue, discuss the implications of the vulnerability, and share how it was resolved in the updated version of the software.
Original References
- GitHub Repository: https://github.com/IKNL/vantage6
- Vulnerability Patch Commit: https://github.com/IKNL/vantage6/commit/94a03d86b9eb139a9a920f76a7a62e4e98862412
- vantage6 Documentation: https://docs.vantage6.ai/
Exploit Details
The vulnerability, tracked as CVE-2024-32969, arose from the insufficient validation of user permissions by the vantage6 system when organizations were added to a collaboration. Collaboration administrators had the ability to add organizations to their collaboration, which inadvertently allowed them to extend their influence and potentially access sensitive data from other collaborations.
For example, an organization that had been added to a collaboration could create new users for which they knew the passwords. These new users could then read task results of other collaborations involving the same organization, even without proper authorization. The following code snippet demonstrates how this vulnerability could be exploited:
# Assuming client is an authenticated vantage6 client
# and collaboration is the target collaboration object
added_org = client.organization.add({"name": "MaliciousOrg"})
collaboration.add_organization(added_org["id"])
# MaliciousOrg now creates a new user with a known password
new_user = added_org.create_user({"username": "malicious_user", "password": "known_password", "email": "malicious@example.com"})
# MaliciousOrg can now authenticate with the new user
malicious_client = vantage6.Client("malicious_user", "known_password")
# Fetch unauthorized collaboration task results
task_results = malicious_client.collaboration.get_results(collaboration["id"])
Although this vulnerability required a user to have relatively high privileges (i.e., managing a collaboration), it still posed a significant risk to the privacy and security of task result data in affected collaborations.
Resolution
The vantage6 development team addressed this issue in version 4.5.rc3 by implementing proper validation checks when adding organizations to collaborations. The patch ensures that only authorized users can manage collaborations, thereby preventing the unauthorized access of task results.
To protect your vantage6 instance from this vulnerability, you should upgrade by executing the following command:
pip install vantage6==4.5.rc3
Conclusion
CVE-2024-32969 highlighted a major security issue within the vantage6 infrastructure for privacy-preserving analysis. While the impact of this vulnerability was limited to users with high privileges, it demonstrated the importance of thorough access control and permission validation in any collaborative data analysis system.
By sharing this analysis and the details of the vulnerability, we hope to raise awareness among users and developers of similar collaborative data analysis platforms and encourage them to continue working on enhancing security and privacy within their projects.
Timeline
Published on: 05/23/2024 09:15:09 UTC
Last modified on: 06/04/2024 17:50:23 UTC