CVE CyberSecurity Database News

CVE-2024-10318 - Session Fixation Flaw in NGINX OpenID Connect Reference Implementation Explained

Poster -

In early 2024, a critical security vulnerability—CVE-2024-10318—was identified in the NGINX OpenID Connect reference implementation. If you use NGINX with OIDC, or maintain any auth infrastructure relying on this reference code, keep reading—this flaw could seriously impact your users' session security.

What is Session Fixation?

Session fixation means an attacker sets (or “fixes”) a victim’s session identifier to one that the attacker controls, and then tricks the victim into authenticating with that session. This doesn’t let the attacker “become” the victim, but lets them “tie” a user’s future session to their own identity. That can lead to all sorts of weird and dangerous behavior.

The Vulnerability: Nonce Parameter Not Checked

The heart of CVE-2024-10318 is that the nonce value—a unique token meant to prevent replay attacks—was improperly handled in the NGINX OIDC reference implementation. Usually, the nonce verifies that the session started by the user matches the authentication flow. If the server doesn’t check the nonce at login, anyone can “plant” their own session parameters for another user.

The nonce wasn’t checked during login.

- An attacker could generate a valid login session before the victim logs in, tying their session to the attacker's identifier.

Attacker logs in using their own account via OIDC and starts an authentication session.

2. Attacker sends a link with their session cookie to the victim (via phishing, malicious website, etc).

Victim successfully authenticates through OIDC.

5. Result: The victim’s session is now linked to the attacker’s account—even though the victim completed the correct login flow!

Here's a simplified Python-like logic of the problem in the reference implementation

def oidc_callback(request):
    # BAD: No nonce check
    id_token = get_id_token(request)
    # Skipping nonce check:
    # if not valid_nonce(request.session['nonce'], id_token['nonce']):
    #     abort_login()
    session['user'] = id_token['sub']  # Associate session with user
    # Now, session is linked without verifying it is the original requester!

If you want to see the original OIDC reference implementation, check out the NGINX repo (beware, not every deployment is vulnerable—only ones not checking nonce at login!).

The actual logged-in session is associated with the attacker's privileges.

- Could result in actions taken by the victim being mapped to the attacker’s account (data leaks, unintended changes, audit log confusion).

Attacker creates their own session with a predictable or known session ID.

2. Attacker sends this session ID to the victim (phishing/social engineering).

All future authenticated actions will operate under the attacker’s identity.

No special tools required: If you can inject a cookie or get the victim to open a link on your attacker-controlled site, you’re in.

Proof-of-Concept (PoC) Curl Example

# Step 1: Attacker gets valid session_id cookie
curl -c attacker_cookies.txt "https://vulnerable-nginx-oidc/login";

# Step 2: Attacker crafts a link for the victim using cookie set
echo "Paste this in your browser with attacker_cookies.txt loaded"
# Victim logs in, session is tied to attacker

In real-world attacks, this would be more automated, possibly involving XSS or phishing tricks.

How to Fix?

Always verify the nonce value received in OIDC authentication responses. If your NGINX OIDC implementation skips this check, patch immediately!

Reference Fix:
See the upstream commit: OIDC: Always verify nonce at login time *(replace XYZ with actual PR if available)*

Or track the advisory

- MITRE CVE Entry
- NGINX Security Advisory

Conclusion: Patch and Review Your OIDC Middleware

CVE-2024-10318 highlights why session and nonce checks are crucial in SSO/OIDC components. Even “reference implementations” can have dangerous flaws—never treat them as “ready for production” without strict review.

If you run NGINX OIDC, make sure you’ve updated to code that checks the nonce at login.

More info

- OWASP - Session Fixation
- OpenID Connect Security


*For exclusive, real-world updates on web security, follow this space!*

Timeline

Published on: 11/06/2024 17:15:13 UTC
Last modified on: 11/08/2024 19:51:49 UTC