CVE-2021-28680: One layer of security is lost when using devise_masquerade under certain circumstances in versions before 1.3
opened this issue · comments
This is a security vulnerability that has been subject to a 90-day disclosure deadline and has been fixed in the v1.3.1 release of devise_masquerade. I'm creating this issue for traceability inside the GitHub project and to be able to refer to it from the CVE. Ideally a security advisory should be created.
If the secret_key_base variable is somehow leaked, an attacker can become any user by misusing the "masquerade back" functionality of this Devise extension, something that is not possible in plain Devise since the attacker must know the victim's password salt to form a valid session cookie to encrypt and sign using secret_key_base.
From the description of CVE-2021-28680:
The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown.
An application that uses this gem
to let administrators masquerade/impersonate users loses
one layer of security protection compared to a situation where Devise (without this
extension) is used. If the server-side secret_key_base value
became publicly known (for instance if it is committed to a public
repository by mistake), there are still other protections in
place that prevent an attacker from impersonating any user on the
site. When masquerading is not used in a plain Devise application, one
must know the password salt of the target user if one wants to encrypt
and sign a valid session cookie. When devise_masquerade is used,
however, an attacker can decide which user the "back" action will go
back to without knowing that user's password salt and simply knowing
the user ID, by manipulating the session cookie and pretending that a
user is already masqueraded by an administrator.
By adding and setting the dictionary key devise_masquerade_user to the user ID of the admin victim in the session cookie JSON/Marshal object, an attacker can fake that an impersonation has occurred and then use the "masquerade back" functionality to become the victim.
Fixed by pull request #76.