CVE-2021- 41527: Flexera — Multi Factor Authentication (MFA) Bypass

Description

Flexera’s RISC Platform was vulnerable to MFA/2FA bypass. Flexera was notified, and has applied an official fix for this vulnerability.

The application performed client-side checks to verify if MFA setup was completed. By tampering with a hidden input parameter, an attacker could signal to future requests that MFA has already been setup. The application then set the secondary authentication token to a value of “none”, rather than a valid email address or phone number. An attacker could then submit an empty token as a second factor login, and be fully authenticated to the portal.

Note, although this vulnerability was proven to be exploitable, it likely required an invited user that has not yet previously logged in.

Severity

CVSS v3.1 Vector (Medium): AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C

Attack Chain — MFA Bypass

The following shows bypassing MFA. The first figure shows that mfa_confirmed is a hidden input in the login form.

RISK Networks Login — Hidden Inputs

When a user successfully authenticates without MFA configured, they are prompted to setup MFA:

MAF Setup

To avoid this workflow, an attacker can bypass the client-side controls using a proxy or other means. The following figure shows using Burp> Proxy > Options > Match and Replace. To set mfa_confirmed to 1 (or true).

Burp Proxy — Match and Replace

When the page is accessed again, the authcode is set “none”, and entering a blank authorization code bypasses MFA. This can be seen in the following two figures:

MFA None
MFA Bypassed / Authenticated

--

--

--

Robert Gilbert is an Information Security professional that specializes in Offensive Security, and has over 20 years experience in Information Systems.

Love podcasts or audiobooks? Learn on the go with our new app.

{UPDATE} بازی ۲۰۴۸ Hack Free Resources Generator

Another Reason I like Surfshark: RAM Only Servers

EFUN — Games of Predictions on Metaverse

IIOT is Secure (and other Fake News)

Password Manager

5 Reasons IoT Devices Will Malfunction in 2020

{UPDATE} Спокойной ночи, малыши Hack Free Resources Generator

Outsource Application Security: Should You Consider It?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Robert Gilbert

Robert Gilbert

Robert Gilbert is an Information Security professional that specializes in Offensive Security, and has over 20 years experience in Information Systems.

More from Medium

Walkthrough of “Insecure Deserialization”- PentesterAcademy

ResolveURI RXSS Imperva Waf Bypass

Insufficient Logging and Monitoring

A Guide For Advanced Message Protected API Hacking Using Hackvertor and Burp (part 2)