[Security][CVE-2024-52946] Adaptative Authentication Rules triggered by "Refresh my rights"
Create a simple adaptative authentication rule like:
'adaptativeAuthenticationLevelRules' => {
'$env->{REMOTE_ADDR} =~ /^127/' => '+2'
},
When user logs in, the authenticationLevel is increased by 2, which is the correct behavior
But when user clicks on "Refresh my rights", the rule is triggered and the authenticationLevel is increased one more time, which can lead to gain access to applications he should not connect.
Debug logs:
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [info] New request Lemonldap::NG::Portal::Main GET /refresh
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Checking for events
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing event newConf
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Get configuration from cache without verification.
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] VH auth.example.com is HTTPS
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Get session 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289 from Handler::Main::Run
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Check session validity from Handler
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Session timeout -> 72000
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Session _utime -> 1728892262
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] now -> 1728892688
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Session timeoutActivityInterval -> 60
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Session TTL = 71574
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] No URL authentication level found...
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] auth.example.com: Apply default rule
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] removing cookie
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Cookies -> llnglanguage=fr; lemonldap=6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289; lemonldappdata=%7B%22_choice%22%3A%222_Demo%22%7D
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] CookieName -> lemonldap
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] newCookies -> llnglanguage=fr; lemonldappdata=%7B%22_choice%22%3A%222_Demo%22%7D
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] User dwho was granted to access to /refresh
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Start routing refresh
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [notice] Refresh request for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] [notice] Refresh request for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [info] Refresh request for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] [info] Refresh request for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Set session 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289 _updateTime with 20241014095808
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing getUser
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Choice 2_Demo selected from pdata
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing code ref
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Launching ::Auth::Choice::_betweenAuthAndData
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing code ref
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Launching ::UserDB::Choice::_betweenAuthAndData
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing setSessionInfo
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing code ref
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing setMacros
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing setGroups
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Choice 2_Demo selected from pdata
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing setLocalGroups
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing store
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Launching ::Plugins::AdaptativeAuthenticationLevel::adaptAuthenticationLevel instead of store
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Check adaptative authentication rules for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Current authentication level for dwho is 6
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Check adaptativeAuthenticationLevelRules -> $env->{REMOTE_ADDR} =~ /^127/
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] User dwho match rule, apply +2 on authentication level
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Authentication level for dwho is now 8
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Authentication level has changed for dwho
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] store launched inside ::Plugins::AdaptativeAuthenticationLevel::adaptAuthenticationLevel
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0 in session key UA
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store **** in session key _2fDevices
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store Demo in session key _auth
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 2_Demo in session key _choice
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store fr in session key _language
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 1728892262 in session key _lastAuthnUTime
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store HASH(0x61b40a4dfc38) in session key _loginHistory
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Dump: $VAR1 = {'failedLogin' => [{'ipAddr' => '127.0.0.1','error' => 5,'_utime' => '1719305353'},{'_utime' => '1719221113','error' => 5,'ipAddr' => '127.0.0.1'},{'ipAddr' => '127.0.0.1','error' => 5,'_utime' => '1714649937'},{'ipAddr' => '127.0.0.1','error' => 5,'_utime' => '1712847579'},{'_utime' => '1712846957','ipAddr' => '127.0.0.1','error' => 5}],'successLogin' => [{'ipAddr' => '127.0.0.1','_utime' => '1728892262'},{'ipAddr' => '127.0.0.1','_utime' => '1728892173'},{'ipAddr' => '127.0.0.1','_utime' => '1728459030'},{'_utime' => '1728458960','ipAddr' => '127.0.0.1'},{'ipAddr' => '127.0.0.1','_utime' => '1728458862'}]};
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store [{"scope":"openid profile address email phone","rp":"rp-example","epoch":1710436974}] in session key _oidcConsents
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289 in session key _session_id
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store SSO in session key _session_kind
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 20241014095102 in session key _startTime
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 20241014095808 in session key _updateTime
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store dwho in session key _user
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store Demo in session key _userDB
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 1728892262 in session key _utime
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store dwho in session key _whatToTrace
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 8 in session key authenticationLevel
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store Doctor Who in session key cn
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store users; timelords in session key groups
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store HASH(0x61b407fb8e38) in session key hGroups
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Dump: $VAR1 = {'users' => {'name' => 'users'},'timelords' => {'name' => 'timelords'}};
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store 127.0.0.1 in session key ipAddr
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store dwho@badwolf.org in session key mail
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Store dwho in session key uid
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Try to get SSO session 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Get session 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289 from Portal::Main::Run
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Return SSO session 6cae3e80c11047618b4a73679293bebd2f627880b9738b6e9def54c9775e9289
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Looking for totp 2f
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Looking for webauthn 2f
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Looking for okta 2f
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] No 2F module authorized -> Update current request
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Processing code ref
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Calling autoredirect
[Mon Oct 14 09:58:08 2024] [LLNG:15262] [debug] Building redirection to https://auth.example.com/