CVE-2021- 41527: Flexera — Multi Factor Authentication (MFA) Bypass
Description
Flexera’s RISC Platform was vulnerable to MFA/2FA bypass. Flexera was notified, and has applied an official fix for this vulnerability.
The application performed client-side checks to verify if MFA setup was completed. By tampering with a hidden input parameter, an attacker could signal to future requests that MFA has already been setup. The application then set the secondary authentication token to a value of “none”, rather than a valid email address or phone number. An attacker could then submit an empty token as a second factor login, and be fully authenticated to the portal.
Note, although this vulnerability was proven to be exploitable, it likely required an invited user that has not yet previously logged in.
Severity
Attack Chain — MFA Bypass
The following shows bypassing MFA. The first figure shows that mfa_confirmed is a hidden input in the login form.
When a user successfully authenticates without MFA configured, they are prompted to setup MFA:
To avoid this workflow, an attacker can bypass the client-side controls using a proxy or other means. The following figure shows using Burp> Proxy > Options > Match and Replace. To set mfa_confirmed to 1 (or true).
When the page is accessed again, the authcode is set “none”, and entering a blank authorization code bypasses MFA. This can be seen in the following two figures:
References
Common Vulnerability Scoring System Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C&version=3.1
PortSwigger — Burp: https://portswigger.net/burp/documentation/desktop/tools/proxy
Flexera’s RISC Platform Advisory: https://community.flexera.com/t5/Foundation-CloudScape-Release/RISC-Platform-Security-Related-Fixes/ba-p/224887