CVE-2018-6874: Security Vulnerability in the Auth0 Authentication Service

Published: April 4, 2018

CVE number: CVE-2018-6874

Credit: Internal

Overview

A vulnerability has been identified in the Auth0 authentication service. Tenants of the service with the Legacy Lock API flag enabled in the service’s management dashboard are affected. If the flag is not visible, it is disabled. Disabling the flag may break applications employing the auth0.js library with version < 9.0.0 or the Lock library with version < 11.0.0 for crossdomain username/password based authentication - also known as embedded login. Further, any cross-domain use of the /usernamepassword/login authentication api endpoint outside of those libraries may also be affected.

After the verification of user credentials on /usernamepassword/login, an HTML form is rendered into the user’s browser and automatically executed. It POSTs a JSON Web Token (JWT) to the /login/callback endpoint. This authenticated token maintains state regarding the identity of the user; this cannot be done directly due to crossdomain session management restrictions maintained by most modern browsers. Due to the lack of session binding, this form post is susceptible to CSRF. An attacker with valid user credentials at an Auth0 tenant can use them to gain such a form, and then employ techniques such as social engineering or clickjacking to have a victim’s browser execute it. The victim will then have a login session at the Auth0 tenant under the attacker’s account - and therefore be recognized as the attacker by any downstream application in its federation. Should the user undertake any actions while maliciously logged in as such, those actions and any related information will be visible to the attacker.

The attack does not allow any escalation of privileges on behalf of the attacker, and the victim’s actions visible to the attacker are restricted to whatever permissions have been granted to that attacker within the system. The victim will also be fully recognized as the attacker within the federation, and so may be shown account information or other context clues that reveal they are not operating within the auspices of their own account.

Am I affected?

You are affected if you employ username/password authentication (with any database and/or connection) for your Auth0 tenant, and the Legacy Lock API flag in the Auth0 management dashboard is visible and flagged on.

How to fix that?

To mitigate the vulnerability, toggle the flag to off. The /usernamepassword/login endpoint will still work for logins from the Universal Login page hosted on /login, however these - as same-domain logins - will be protected from CSRF. Otherwise, toggling the flag will disable cross-domain authentication on that endpoint.

For applications employing auth0.js version < 9.0.0 or Lock version < 11.0.0, this may break user logins. Upgrading to auth0.js version > 9.0.0 or Lock version > 11.0.0 will restore embedded username/password authentication using cross-origin authentication (note the limitations). Applications are also encouraged to migrate to Universal Login.

Private SaaS Appliances running versions > 14591 with the Legacy Lock API flag set to off are not affected by this vulnerability.

Will this update impact my users?

If the Legacy Lock API is disabled without applications having migrated, then all user logins employing the affected functionality will break. Auth0 intends to enforce disablement of the Legacy Lock API for all tenants on July 16th, 2018. The choice of migration may affect the specific user experience of logging into your service, however users, their information, and their sessions will not be otherwise impacted.