Skip to content

Expired tokens can be renewed without validating the account password

High severity GitHub Reviewed Published Dec 19, 2023 in simonrob/email-oauth2-proxy • Updated Dec 20, 2023

Package

pip emailproxy (pip)

Affected versions

<= 2023.11.18

Patched versions

2023.12.19

Description

Impact

In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).

An attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.

This issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version 2023-12-19 or later of the proxy immediately.

If you use this flow, but have also set encrypt_client_secret_on_first_use = True and removed the original client_secret value from the proxy's configuration file then this issue is not a concern.

For all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.

Patches

Email OAuth 2.0 Proxy version 2023-12-19 (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.

Issue details

Because it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the delete_account_token_on_password_error option is provided, and can be set to False to disable this behaviour, which would normally be only a nuisance, rather than a security risk.

Regardless of this option's value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy's token retrieval implementation was created with this interactive process in mind.

The CCG flow is an administrator-level method that grants broad access without user knowledge or consent – no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted client_secret value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the existing token.

Detecting unauthorised access

If you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.1 Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.

When using the CCG flow, if you have set delete_account_token_on_password_error = False, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.

It you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.

References

Footnotes

  1. If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account's scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.

@simonrob simonrob published to simonrob/email-oauth2-proxy Dec 19, 2023
Published to the GitHub Advisory Database Dec 19, 2023
Reviewed Dec 19, 2023
Last updated Dec 20, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9wgg-m99q-hhfc
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.