2020568 – (CVE-2021-42097) CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover

Bug 2020568 (CVE-2021-42097) - CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and account takeover

Summary: CVE-2021-42097 mailman: CSRF token bypass allows to perform CSRF attacks and ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-42097
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2020569 2020688 2020689 2020690 2020691 2020692 2020693
Blocks:	2020570
TreeView+	depends on / blocked

Reported:	2021-11-05 10:07 UTC by Marian Rehak
Modified:	2021-12-02 16:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	mailman 2.1.35
Doc Type:	If docs needed, set a value
Doc Text:	A Cross-Site Request Forgery (CSRF) attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right user and a token created by one user can be used by another one to perform a request, effectively bypassing the protection provided by CSRF tokens. A remote attacker with an account on the mailman system can use this flaw to perform a CSRF attack and perform operations on behalf of the victim user.
Clone Of:
Environment:
Last Closed:	2021-11-24 09:08:41 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4826	None	None	None	2021-11-23 20:34:34 UTC
Red Hat Product Errata	RHSA-2021:4837	None	None	None	2021-11-24 08:32:43 UTC
Red Hat Product Errata	RHSA-2021:4838	None	None	None	2021-11-24 08:30:11 UTC
Red Hat Product Errata	RHSA-2021:4839	None	None	None	2021-11-24 08:36:42 UTC
Red Hat Product Errata	RHSA-2021:4913	None	None	None	2021-12-02 16:21:31 UTC

Description Marian Rehak 2021-11-05 10:07:47 UTC

A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).

External Reference:

http://www.openwall.com/lists/oss-security/2021/10/21/4

Comment 1 Marian Rehak 2021-11-05 10:08:06 UTC

Created mailman tracking bugs for this issue:

Affects: fedora-all [bug 2020569]

Comment 2 Riccardo Schirone 2021-11-05 11:14:13 UTC

Upstream patch:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

Comment 3 Riccardo Schirone 2021-11-05 15:04:46 UTC

CSRF tokens generated for one user may be used to perform operations on another user, defeating the purpose of the CSRF token itself considering that an attacker can craft a CSRF token for a fake account and use that to perform the operation while the victim user is connected to the mailman list.

The checking function, csrf_check(), checks whether the token is valid but it validates the data with the secret of the user found in the token itself, which could be different from the user that performed the request. A Cross-Site Request Forgery (CSRF) attack can be performed by using such CSRF token.

This attack can be used to perform operations on behalf of the victim user or even take over his account.

Comment 4 Riccardo Schirone 2021-11-05 15:08:18 UTC

Privileged Required set to Low (PR:L) because an attacker needs to have a valid account on the mailman system in order for the CSRF token to be considered valid, even if for the wrong user.

Comment 7 Riccardo Schirone 2021-11-12 09:47:23 UTC

Although the version of mailman shipped in RHEL7 does not support CSRF tokens for user pages, it does use them for the admin operations (e.g. changing the password of the site admin). An attacker could perform a CSRF attack on a victim admin by using a user-based CSRF token to take control of the admin mailman user.

Comment 8 errata-xmlrpc 2021-11-23 20:34:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826

Comment 9 errata-xmlrpc 2021-11-24 08:30:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838

Comment 10 errata-xmlrpc 2021-11-24 08:32:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837

Comment 11 errata-xmlrpc 2021-11-24 08:36:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839

Comment 12 Product Security DevOps Team 2021-11-24 09:08:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42097

Comment 13 errata-xmlrpc 2021-12-02 16:21:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4913 https://access.redhat.com/errata/RHSA-2021:4913

Note You need to log in before you can comment on or make changes to this bug.