CVE-2021- 41527: Flexera — Multi Factor Authentication (MFA) Bypass

Robert Gilbert
2 min readApr 28, 2022

--

Description

Flexera’s RISC Platform was vulnerable to MFA/2FA bypass. Flexera was notified, and has applied an official fix for this vulnerability.

The application performed client-side checks to verify if MFA setup was completed. By tampering with a hidden input parameter, an attacker could signal to future requests that MFA has already been setup. The application then set the secondary authentication token to a value of “none”, rather than a valid email address or phone number. An attacker could then submit an empty token as a second factor login, and be fully authenticated to the portal.

Note, although this vulnerability was proven to be exploitable, it likely required an invited user that has not yet previously logged in.

Severity

CVSS v3.1 Vector (Medium): AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C

Attack Chain — MFA Bypass

The following shows bypassing MFA. The first figure shows that mfa_confirmed is a hidden input in the login form.

RISK Networks Login — Hidden Inputs

When a user successfully authenticates without MFA configured, they are prompted to setup MFA:

MAF Setup

To avoid this workflow, an attacker can bypass the client-side controls using a proxy or other means. The following figure shows using Burp> Proxy > Options > Match and Replace. To set mfa_confirmed to 1 (or true).

Burp Proxy — Match and Replace

When the page is accessed again, the authcode is set “none”, and entering a blank authorization code bypasses MFA. This can be seen in the following two figures:

MFA None
MFA Bypassed / Authenticated

--

--

Robert Gilbert
Robert Gilbert

Written by Robert Gilbert

Robert Gilbert is an AppSec Engineer at Amazon AWS with over 15 years experience in Offensive Security, & over 20 years experience in Information Systems. OAMO

No responses yet