Details of VAR-202110-0542

ID

VAR-202110-0542

CVE

CVE-2021-41100

TITLE

Wire-server Session deadline vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012576

DESCRIPTION

Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password after setting the email address to one that they control, changing the email address can result in an account takeover by the attacker. Short-lived tokens can be requested from the backend by Wire clients using the long lived tokens, after which the long lived tokens can be stored securely, for example on the devices key chain. The short lived tokens can then be used to authenticate the client towards the backend for frequently performed actions such as sending and receiving messages. While short-lived tokens should not be available to an attacker per-se, they are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker relative to the long-lived tokens, which are stored and transmitted in cookies. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue (changing email is blocked for SCIM users). SAML single-sign-on is unaffected by this issue, and behaves identically before and after this update. The reason is that the email address used as SAML NameID is stored in a different location in the databse from the one used to contact the user outside wire. Version 2021-08-16 and later provide a new end-point that requires both the long-lived client cookie and `Authorization` header. The old end-point has been removed. If you are running an on-prem instance with at least some of the users invited or provisioned via SAML SSO and you cannot update then you can block `/self/email` on nginz (or in any other proxies or firewalls you may have set up). You don't need to discriminate by verb: `/self/email` only accepts `PUT` and `DELETE`, and `DELETE` is almost never used. Wire-server contains a session expiration vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.16

sources: NVD: CVE-2021-41100 // JVNDB: JVNDB-2021-012576 // CNVD: CNVD-2022-23510

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-23510

AFFECTED PRODUCTS

vendor:	wire	model:	wire-server	scope:	lt	version:	2021-08-16	Trust: 1.6
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	2021/08/16	Trust: 0.8
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-23510 // JVNDB: JVNDB-2021-012576 // NVD: CVE-2021-41100

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-41100
value:	CRITICAL
Trust: 1.0
security-advisories@github.com:	CVE-2021-41100
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-41100
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-23510
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202110-187
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2021-41100
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-23510
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-41100
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2021-41100
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-41100
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-23510 // JVNDB: JVNDB-2021-012576 // CNNVD: CNNVD-202110-187 // NVD: CVE-2021-41100 // NVD: CVE-2021-41100

PROBLEMTYPE DATA

problemtype:	CWE-285	Trust: 1.0
problemtype:	CWE-613	Trust: 1.0
problemtype:	Inappropriate session deadline (CWE-613) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-012576 // NVD: CVE-2021-41100

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-187

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-187

PATCH

title:	Account takeover when having only access to a user's short lived token	url:	https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m	Trust: 0.8
title:	Patch for Wire-server code problem vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/328206	Trust: 0.6
title:	Wire Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=165578	Trust: 0.6

sources: CNVD: CNVD-2022-23510 // JVNDB: JVNDB-2021-012576 // CNNVD: CNNVD-202110-187

EXTERNAL IDS

db:	NVD	id:	CVE-2021-41100	Trust: 3.8
db:	JVNDB	id:	JVNDB-2021-012576	Trust: 0.8
db:	CNVD	id:	CNVD-2022-23510	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-187	Trust: 0.6

sources: CNVD: CNVD-2022-23510 // JVNDB: JVNDB-2021-012576 // CNNVD: CNNVD-202110-187 // NVD: CVE-2021-41100

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-41100	Trust: 2.0
url:	https://github.com/wireapp/wire-server/security/advisories/ghsa-9rm2-w6pq-333m	Trust: 1.6

sources: CNVD: CNVD-2022-23510 // JVNDB: JVNDB-2021-012576 // CNNVD: CNNVD-202110-187 // NVD: CVE-2021-41100

SOURCES

db:	CNVD	id:	CNVD-2022-23510
db:	JVNDB	id:	JVNDB-2021-012576
db:	CNNVD	id:	CNNVD-202110-187
db:	NVD	id:	CVE-2021-41100

LAST UPDATE DATE

2024-11-23T23:07:36.090000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-23510	date:	2022-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-012576	date:	2022-09-02T04:55:00
db:	CNNVD	id:	CNNVD-202110-187	date:	2021-10-13T00:00:00
db:	NVD	id:	CVE-2021-41100	date:	2024-11-21T06:25:28.137

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-23510	date:	2022-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-012576	date:	2022-09-02T00:00:00
db:	CNNVD	id:	CNNVD-202110-187	date:	2021-10-04T00:00:00
db:	NVD	id:	CVE-2021-41100	date:	2021-10-04T19:15:08.510