Skip to content

DoS when using `OIDCSessionType client-cookie` and manipulating cookies

Moderate
zandbelt published GHSA-hxr6-w4gc-7vvv Feb 13, 2024

Package

mod_auth_openidc

Affected versions

>= 2.0.0 <= 2.4.15.1

Patched versions

>= 2.4.15.2

Description

Summary

Missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to DoS attack.

Details

We have carried out an internal security audit of our application that uses mod_auth_openidc and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie and set it to a very large integer, lets say 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive.

Having the ability to configure a max value for mod_auth_openidc_session_chunks would mitigate this issue.

Is there a way to do this?

PoC

Setting up the apache server

We have set the following settings which might be relevant:
OIDCSessionType client-cookie:store_id_token
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 mod_auth_openidc_session_2 mod_auth_openidc_session_3 mod_auth_openidc_session_4 mod_auth_openidc_session_5 mod_auth_openidc_session_6 mod_auth_openidc_session_7 mod_auth_openidc_session_8 mod_auth_openidc_session_9

The variable "OIDCSessionCookieChunkSize" is unset (using the default value 4000 i think)

Making the DoS

  1. Open the application URL in the browser
  2. Sign in using correct credentials
  3. While using the application in signed in mode, open chrome dev tools and modify content of cookie mod_auth_openidc_session_chunks and set it to 99999999
  4. Refresh the page
  5. Apache + mod_auth_openidc will take some time, then return a 500

Impact

Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2024-24814

Weaknesses

No CWEs