Server messaging and data exchange platform Apache Pulsar has patched a security bug that could allow an attacker to hijack accounts configured in a specific way.
A pull request on the Apache Pulsar GitHub reads: “If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to ‘none’. This allows an attacker to connect to Pulsar instances as any user (including admins).”
JWT is an open standard for securely transmitting information between parties in JSON format. One of the common uses of JWT is user authentication and authorization.
Authentication required
The bug was initially reported as high severity. But Sijie Guo, a member of the Apache Pulsar Project Management Committee (PMC), told The Daily Swig that the real-world impact of the bug is minimal.
“The issue can ONLY allow a token to be authenticated with a NONE signing algorithm,” Guo explained.
“An authenticated user doesn’t directly gain access. It will still go through the authorization process, because all the Pulsar roles are NOT predefined.”
He added: “Pulsar role names are generated, configured, and managed by the users. Unless the attacker knows your roles, they won’t be able to mock a token to access your cluster.”
Guo also said that JWT is not the default authentication mode for Pulsar.
“Pulsar provides a pluggable authentication plugin to support different authentication mechanisms,” he said.
“It currently supports mutual-TLS, OAuth2, Athenz, Kerberos, and JWT. mTLS and OAuth2 are the popular ones. JWT is only one of them.”
Regarding admin users, Guo said that attackers will have to know the username before they can hack them.
“Superuser and admin roles are not predefined,” Guo said. “They have to be generated, configured, and managed by Pulsar users.”
Guo also said that a successful exploit – even on an admin user – would not result in more severe attacks on the host system and would remain limited to creating and deleting topics in a given tenant in a Pulsar cluster.
Nonetheless, Guo acknowledges that there should be more caution when integrating new features into the application. “It is important to read the documentation about the third party library we are choosing and use the right method to parse the JWT token,” he said.
Peter Stöckli, the security researcher who discovered and reported the bug, told The Daily Swig, “The developers shouldn’t be blamed too much here. They didn’t explicitly specify that ‘none’ can be used as an algorithm.
“They basically called the wrong method on the JWT-library in use. The JWT-library cannot be blamed too much, since the use of the ‘none’ algorithm is part of the standard (unsecured JWTs).”
The bug, fixed in the latest version of Pulsar (2.7.1), had existed since version 2.5.1, which introduced the JWT authentication provider option.
Source: https://portswigger.net/daily-swig/apache-pulsar-bug-allowed-account-takeovers-in-certain-configurations