CVE-2022-39352 - OpenFGA Authorization Bypass Vulnerability in Versions Prior to .2.5

OpenFGA is a high-performance authorization/permission engine, inspired by Google's Zanzibar system. It plays a critical role in securing access to resources by ensuring that users have appropriate permissions. Unfortunately, versions prior to .2.5 of OpenFGA have been found to be vulnerable to an authorization bypass issue under certain conditions.

Affected versions

OpenFGA versions prior to .2.5.

Impact

An attacker can bypass the authorization checks, potentially gaining unauthorized access to sensitive resources – only if the authorization model includes a tuple with a wildcard (*) assigned to a tupleset relation (the right-hand side of a 'from' statement).

Details

The core issue lies in the way OpenFGA handles tuples with wildcards (*) in the tupleset relation. When encountering a wildcard, the engine fails to consider all possible tuple combinations correctly, which could lead to an incorrect authorization decision.

The following code snippet demonstrates the vulnerable configuration in OpenFGA

tupleset: (resource, permission) {
  from: (principal: "*", relation: "owner", object: resource),
}

In this example, the tupleset relation contains a wildcard (*) for the principal, which can trigger the vulnerability.

References

- Original advisory
- OpenFGA GitHub repository

Patch

The OpenFGA team has released a patch for this issue in version v.2.5. This update is _not_ backward compatible with any authorization models that use a wildcard on a tupleset relation.

Upgrade instructions

You need to update your OpenFGA installation to version .2.5 or later to address this vulnerability. You can follow these steps to upgrade:

Verify that your OpenFGA instance uses a vulnerable version (prior to .2.5).

2. If affected, update your OpenFGA installation to version .2.5 using the package manager or by following the instructions from the GitHub repository.
3. Carefully review and update your authorization models that use wildcards on tupleset relations, as this update is not backward compatible. Ensure that the new models meet your access control requirements.

Conclusion

The authorization bypass vulnerability in OpenFGA prior to version .2.5 poses a significant risk to users and organizations that rely on it for access control. Therefore, it's crucial to upgrade to version .2.5 or later as soon as possible to mitigate the risk. In addition, the authorization models with wildcards on tupleset relations need to be revised because of the backward compatibility issues introduced by the patch.

Timeline

Published on: 11/08/2022 08:15:00 UTC
Last modified on: 11/09/2022 22:03:00 UTC