Source: security-advisories@github.com
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Craft CMS versions are vulnerable to a Time-of-Check-Time-of-Use (TOCTOU) race condition, allowing attackers to bypass token usage limits. This flaw enables privilege escalation by permitting unauthorized multiple uses of impersonation tokens, potentially granting access to higher-privileged user accounts and compromising the integrity of the content management system.
Step 1: Obtain Impersonation Token: The attacker must first obtain a valid impersonation URL containing a token for a target user account with higher privileges. This could be achieved through social engineering, credential stuffing, or exploiting another vulnerability.
Step 2: Identify Rate Limiting: The attacker needs to identify if any rate-limiting rules are in place and bypass them. This might involve using multiple IP addresses, rotating user agents, or other techniques.
Step 3: Craft Concurrent Requests: The attacker crafts multiple HTTP requests, each containing the impersonation URL with the single-use token. The number of requests should be greater than the intended token usage limit.
Step 4: Send Requests Simultaneously: The attacker sends all crafted requests to the Craft CMS server concurrently, exploiting the TOCTOU race condition.
Step 5: Token Validation Bypass: Due to the race condition, multiple requests may pass the initial token usage check before the database is updated, allowing the attacker to impersonate the target user multiple times.
Step 6: Privilege Escalation: The attacker successfully impersonates the higher-privileged user, gaining access to restricted functionalities and potentially compromising the entire system.
The vulnerability stems from a race condition in Craft CMS's token validation service. The getTokenRoute() method reads a token's usage count, checks if it's within limits, and then updates the database in separate, non-atomic operations. This creates a window of opportunity where concurrent requests can bypass the intended usage limits. The root cause is the lack of atomicity in the token usage check and update process. Specifically, the code does not use database transactions or other mechanisms to ensure that the check and update operations are performed as a single, indivisible unit. This allows an attacker to submit multiple requests simultaneously, each of which passes the initial check but then updates the database, effectively exceeding the intended token usage limit. The vulnerability is exacerbated by the requirement for a valid impersonation URL with a non-expired token, which is a prerequisite for exploitation.
No specific APT groups or malware families are directly linked to this vulnerability at this time. However, the nature of the vulnerability (privilege escalation) makes it attractive to various threat actors. CISA KEV status: Not Listed
Monitor server logs for unusual patterns of access to token validation endpoints, especially from the same IP address or user agent within a short timeframe.
Analyze database logs for multiple updates to token usage counts within a short period, indicating potential exploitation.
Implement intrusion detection system (IDS) rules to flag concurrent requests to the token validation endpoint.
Monitor for unauthorized access to privileged user accounts.
Review web server access logs for suspicious activity, such as multiple requests to the impersonation URL from different IP addresses or user agents.
Upgrade to Craft CMS versions 4.16.19 or 5.8.23 or later, which include a patch for the vulnerability.
Implement atomic operations for token usage checks and updates using database transactions or other mechanisms to prevent race conditions.
Enforce stricter rate-limiting rules to mitigate the impact of concurrent requests.
Regularly review and audit user permissions to minimize the impact of potential privilege escalation.
Implement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges.
Monitor and log all access attempts to sensitive resources and user accounts.
Conduct regular penetration testing and vulnerability assessments to identify and address security weaknesses.