Source: cve@mitre.org
The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain privileges by using an unattended web browser.
Unattended web browser sessions using vulnerable Drupal installations with the Shibboleth authentication module are susceptible to a privilege escalation attack. This vulnerability allows a physically proximate attacker to gain unauthorized access to a user's account after a logout or session change by exploiting the module's failure to properly clear statically granted privileges, potentially leading to data breaches and system compromise.
Step 1: Legitimate User Login: A legitimate user logs into the Drupal website using Shibboleth authentication, and the module grants the user specific privileges based on their identity.
Step 2: User Logout or Session Change: The legitimate user logs out of the Drupal website or their session is otherwise terminated (e.g., session timeout).
Step 3: Attacker Access: An attacker gains physical access to the unattended web browser or a browser that still has cached session data.
Step 4: Privilege Reuse: The attacker attempts to leverage the existing session or cached data to access protected resources. Because the module fails to properly revoke the privileges, the attacker may be able to access resources that require the previously granted privileges.
Step 5: Privilege Escalation: The attacker successfully accesses resources they should not have access to, effectively escalating their privileges.
The root cause lies in the Shibboleth module's inadequate handling of session management and privilege revocation. Specifically, the module fails to correctly remove or invalidate statically assigned privileges associated with a user's session upon logout or session change. This leads to a scenario where the attacker, with physical access to the browser, can potentially reuse the existing session or leverage cached information to re-establish a session with the previously granted privileges. The flaw is not a direct code injection or buffer overflow, but a logic error in the session cleanup process. The module doesn't properly clear the user's access rights, leaving them active even after the user has logged out or the session has changed. This is a classic example of an authorization bypass vulnerability.
While no specific APT groups are directly linked to this CVE, the nature of the vulnerability makes it attractive for opportunistic attackers. This vulnerability could be leveraged by attackers with physical access to a target system. Not listed on CISA KEV.
Monitor web server logs for suspicious activity after a logout or session change, such as unauthorized access attempts to protected resources.
Analyze Drupal and Shibboleth module logs for errors or warnings related to session management and privilege assignment.
Implement and monitor for unusual user activity, especially after a logout or session change, such as access to sensitive data or administrative functions.
Review web server access logs for requests originating from the same IP address or user-agent string after a logout event.
Upgrade the Shibboleth authentication module to a patched version (5.x-3.4 or later, or 6.x-3.2 or later).
Implement robust session management practices, including proper session invalidation and cleanup upon logout or session termination.
Configure the web server to automatically clear the browser cache after a logout or session change.
Enforce strong access controls and least privilege principles to limit the impact of a successful exploit.
Implement multi-factor authentication (MFA) to mitigate the risk of unauthorized access, even if the session is compromised.
Regularly review and audit user permissions to ensure they are appropriate and up-to-date.