In this post, we'll discuss an issue recently discovered in LIVEBOX Collaboration vDesk (versions up to v018) that allows bypassing of Two-Factor Authentication (2FA). We'll dive into the CVE-2022-45173 vulnerability, how it works, and what this means for users and organizations using the affected versions of vDesk. In addition, we'll provide information about the exploit details, link to the original references, and provide a code snippet demonstrating the vulnerability.
Background
LIVEBOX Collaboration vDesk is a popular collaboration platform that offers virtual desktop solutions for organizations. Two-Factor Authentication (2FA) is a crucial security feature that adds an additional layer of protection to user accounts by requiring a unique code generated through a third-party application or device, in addition to the standard username and password.
The Vulnerability (CVE-2022-45173)
An issue was discovered in LIVEBOX Collaboration vDesk through v018 where a Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. This vulnerability occurs because the 2FA validation process within vDesk is only performed on the client-side, which leaves it susceptible to attackers who can manipulate the validation response. This, in turn, allows the attacker to fool the application into concluding that the Time-based One-Time Password (TOTP) was correct, effectively bypassing the 2FA protection feature.
Exploit Details
To exploit this vulnerability, an attacker can intercept the client-side response and modify it to indicate a successful 2FA check, ultimately gaining unauthorized access to the user account. Here's a code snippet that demonstrates this exploit:
// Assuming attacker has already intercepted user's session, awaiting 2FA response
const interceptedResponse = {
"authenticated": false, // Initial response from the server
"message": "Incorrect TOTP"
};
// Attacker modifies the response
interceptedResponse.authenticated = true;
interceptedResponse.message = "TOTP correct";
// Send the modified response back to the application
fakeAuthentication(interceptedResponse);
function fakeAuthentication(response) {
if (response.authenticated) {
console.log("Authenticated:", response.message);
// Attacker proceeds with unauthorized access
} else {
console.log("Not Authenticated:", response.message);
}
}
In this example, the attacker intercepts the initial false authentication response from the server, modifies it to indicate a successful 2FA check, and sends it back to the application to gain unauthorized access.
Several references highlight and discuss this vulnerability in detail
1. Livebox-collaboration-vdesk-two-factor-authentication-bypass - A blog post that provides an in-depth analysis of the vulnerability.
2. CVE-2022-45173 - The official CVE page containing detailed information about the vulnerability and affected versions.
3. vDesk Github Repository - The official Github repository of vDesk, where the issue has been logged and potential patches can be tracked.
Conclusion
CVE-2022-45173 is a significant security vulnerability for LIVEBOX Collaboration vDesk users, as it could allow unauthorized parties to bypass 2FA protection and gain access to sensitive information. Users and organizations should ensure they update to the latest version of vDesk to mitigate this risk. In addition, developers need to ensure that critical security features like 2FA validation are implemented and executed server-side to avoid such vulnerabilities to circumvent protection measures in the future.
Timeline
Published on: 04/14/2023 14:15:00 UTC
Last modified on: 04/19/2023 19:28:00 UTC