[Security-news] Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002
security-news at drupal.org
security-news at drupal.org
Wed Jan 5 19:12:18 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-002
Project: Simple OAuth (OAuth2) & OpenID Connect [1]
Date: 2022-January-05
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to implement OAuth 2.0 authentication for Drupal.
The module doesn't sufficiently verify client secret keys for "confidential"
OAuth 2.0 clients when using certain grant types. The token refresh and
client credentials grants are not affected.
This vulnerability is mitigated by the fact that the vast majority of OAuth
2.0 clients in the wild are public, not confidential. Furthermore, all
affected grant types still require users to authenticate to Drupal during the
OAuth flow.
The implicit grant type is insecure for other reasons (and still requires
user authentication) and is disabled by default.
Sites at risk of information disclosure would be specifically configured to
restrict access based on the OAuth client's confidentiality status and
configured scopes, not only traditional Drupal user permissions and roles.
Further mitigation includes configuring allowed redirect URIs for clients
[3]. This is an OAuth best practice for guarding against man-in-the-middle
attacks on authorization codes, and prevents redirection to imposter clients.
Anyone implementing OAuth 2.0 on their Drupal site is also encouraged to
review the relevant RFCs and Internet-Drafts [4] pertaining to OAuth
security.
Solution:
Install the latest version:
* If you use the simple_oauth module for Drupal 9.x, upgrade to
simple_oauth-8.x-4.6 [5], 5.0.6 [6] or 5.2.0 [7].
*Important note*: 8.x-4.6 will be the last release for the 8.x-4.x branch.
Support for this major version will end February 28, 2022. The upgrade path
to 5.x is easy, supported and well-tested. All users of versions < 5 should
upgrade to 5.2.0.
The 5.0.x version will be supported until July 31, 2022. Read the 5.2.0
change record [8] for information about changes to previously
non-spec-compliant response codes and messages.
Reported By:
* Simon Bäse [9]
Fixed By:
* Brad Jones [10]
* Simon Bäse [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
[1] https://www.drupal.org/project/simple_oauth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://tools.ietf.org/html/rfc6819#section-5.2.3.5
[4] https://oauth.net/security/
[5] https://www.drupal.org/project/simple_oauth/releases/8.x-4.6
[6] https://www.drupal.org/project/simple_oauth/releases/5.0.6
[7] https://www.drupal.org/project/simple_oauth/releases/5.2.0
[8] https://www.drupal.org/node/3255523
[9] https://www.drupal.org/user/3686593
[10] https://www.drupal.org/user/405824
[11] https://www.drupal.org/user/3686593
[12] https://www.drupal.org/user/36762
More information about the Security-news
mailing list