In this case, the attacker can re-establish a Group Access Token in another Group and continue to have access to the affected Group. This attack requires the attacker to be the owner of that Group, and the affected users must be members of that Group. For example, if a Group is deleted, but the attacker is still the Group owner, then the attacker can retain the Group Access Token and continue to access the Group. This attack does not require the victim to be an owner of the Group, only a member. This can be especially dangerous if the attacker has a high-privilege job or is an admin on the project or organization level. In these cases, the attacker can access the Teams, Activities, and Repositories of the victims, as well as any other systems the victims have access to.
How to detect if you are in a compromised Group
In order to detect if your Group is in a compromised state, you can use the following method:
1) Search for the Group ID on GitHub.
2) Check the left side of the page for the "Group Owner" drop-down menu.
3) If you don't see the owner listed, it's an indication that the Group has been compromised, because only owners can list themselves as "Group Owner."
4) If you do see a user listed as "Group Owner," but they are not familiar to you or they have a different email than their official account, then it could indicate that someone else has taken over your Group.
Group to which the token was reassigned (CVE-2023)
This attack requires the attacker to be the owner of that Group. If a Group is deleted, but the attacker is still the Group owner, then the attacker can retain the Group Access Token and continue to access the Group. This attack does not require the victim to be an owner of the Group, only a member. This can be especially dangerous if the attacker has a high-privilege job or is an admin on the project or organization level. In these cases, the attacker can access Teams, Activities, and Repositories of victims as well as any other systems they have access to.
How to Upgrade to Protect Yourself
To protect yourself from this attack, you should upgrade to the latest version of Microsoft Teams.
Group-Based Authentication Vulnerability
Group-based authentication vulnerabilities can occur in two ways:
1) if the administrator of a Group is compromised and gives an attacker access to the Group, or
2) if the requestor is compromised and gives an attacker access to the Group.
In both cases, the attacker is able to re-establish a Group Access Token in another Group and continue to have access to the affected Group. This attack requires the attacker to be the owner of that Group, and the affected users must be members of that Group. For example, if a Group is deleted, but the attacker is still the owner of that group, then they can retain their access token and continue accessing that group. This attack does not require any victim on Team or Project level privileges for this vulnerability.
The risk for this vulnerability increases for organizations that rely on Groups to share information or collaborate with other teams/projects/organizations in order to achieve business goals. A good example of such an organization would be those who use a project management platform like JIRA. Organizations with active projects will have users from multiple groups collaborating within one project simultaneously, giving attackers more opportunities for this vulnerability.
Timeline
Published on: 08/05/2022 16:15:00 UTC
Last modified on: 08/11/2022 15:02:00 UTC