EyeDP invalidates the existing session cookie after a user completes the log in process, including the completion of the two factor authentication using TOTP or U2F. This is accomplished transparently by the gems Devise and Warden, invoked as part of the sign_in function.
However, after a user types a correct username and password, the existing session cookie is not invalidated before storing session variables and rendering the template page:
def prompt_for_two_factor(user)
# Set @user for Devise views
@user = user
session[:otp_user_id] = user.id
session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
setup_u2f_authentication(user)
render 'devise/sessions/two_factor'
end
After the user completes the first step of authentication, the session cookie points to a half-authenticated state, where the user only needs to complete the second factor authentication to log in. After completing the second factor, the existing session cookie is invalidated and a new session cookie is generated.
This can lead to a limited-in-scope partial session fixation attack, if an attacker is in the position of "injecting" a session cookie in the user's cookie jar:
- The victim uses a browser whose cookie jar contains a valid EyeDP session cookie, whose value is known by an attacker, and related to a non-authenticated session
- The victim logs in to EyeDP by typing username and password
- EyeDP does not invalidate the existing session cookie and includes in the session information about the victim's login status
- The attacker can use the known session cookie to log in as the victim only completing the second step of verification (2FA), without the need of knowing username and password
Impact
An attacker may leverage the half-authenticated state to complete authentication with only knowledge of the victim's second factor. However, the impact is limited due to the restrictive conditions that must occur for the attack to be successful and due to the need for the attacker to know the second authentication factor.
Patches
This issue is resolved in pull 389. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
EyeDP invalidates the existing session cookie after a user completes the log in process, including the completion of the two factor authentication using TOTP or U2F. This is accomplished transparently by the gems Devise and Warden, invoked as part of the sign_in function.
However, after a user types a correct username and password, the existing session cookie is not invalidated before storing session variables and rendering the template page:
After the user completes the first step of authentication, the session cookie points to a half-authenticated state, where the user only needs to complete the second factor authentication to log in. After completing the second factor, the existing session cookie is invalidated and a new session cookie is generated.
This can lead to a limited-in-scope partial session fixation attack, if an attacker is in the position of "injecting" a session cookie in the user's cookie jar:
Impact
An attacker may leverage the half-authenticated state to complete authentication with only knowledge of the victim's second factor. However, the impact is limited due to the restrictive conditions that must occur for the attack to be successful and due to the need for the attacker to know the second authentication factor.
Patches
This issue is resolved in pull 389. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory:
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: