8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-17107

GHSA ID

GHSA-42r6-p4px-qvv6

EPSS Score

0.65865%

CWE

Published

6/12/2023

Updated

6/12/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-17107

CVE-2018-17107:
tgstation-server cached user logins in legacy server

Please note this advisory is for a historical preexisting issue in the legacy server from 2018. It has long since been triaged. It is being moved here for visibility. The text below is copied from the original issue #690

You can login to the server with any username/password combination if someone else is logged in

An explanation of the bug: Back in 3.2.1.0, in order to accommodate running the Control Panel using Mono some hooks were added to the WCF communication layer. Detailed in this commit: https://github.com/tgstation/tgstation-server/commit/2894ea03d708c7f16bab47ba5020c2ad4c3d5554#diff-0ba090ea7073a3a304dfdbdfc512f733

The bug was in this line: https://github.com/tgstation/tgstation-server/commit/2894ea03d708c7f16bab47ba5020c2ad4c3d5554#diff-0ba090ea7073a3a304dfdbdfc512f733R48 authPolicy is passed in by the framework but the documentation for what the parameter is is virtually non-existent: https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.serviceauthenticationmanager.authenticate?view=netframework-4.7.2#System_ServiceModel_ServiceAuthenticationManager_Authenticate_System_Collections_ObjectModel_ReadOnlyCollection_System_IdentityModel_Policy_IAuthorizationPolicy__System_Uri_System_ServiceModel_Channels_Message__

Turns out it is a cache of what the previously returned policy was, as Floyd thankfully found out for us. The security patch fixes the issue by creating a new empty list as the return value when password authentication fails as opposed to using the authPolicy parameter.

If you're wondering why this line: https://github.com/tgstation/tgstation-server/commit/2894ea03d708c7f16bab47ba5020c2ad4c3d5554#diff-0ba090ea7073a3a304dfdbdfc512f733R42 didn't prevent the issue. It only invalidated the actual Windows login session, but in the eyes of the server the user was still valid since we just passed that closed handle as a return result. Had access to static files been attempted with a bad login, the request would end up erroring due to trying to impersonate using a closed user token handle.

This has been fixed in 1812a9c6793c8516c138a105ccfb2108164f0eff and versions 3.2.5.0+

(GitHub Advisory)

8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-17107

GHSA ID

GHSA-42r6-p4px-qvv6

EPSS Score

0.65865%

CWE

Published

6/12/2023

Updated

6/12/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
TGServiceInterface	nuget	>= 3.2.1.0, <= 3.2.4.0	3.2.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper handling of failed authentication attempts in the WCF communication layer. The critical line in AuthenticationHeaderDecoder.cs returned the existing authPolicy collection (containing cached credentials) instead of a new empty collection when authentication failed. This was explicitly fixed in commit 1812a9c by replacing 'return authPolicy' with 'return new ReadOnlyCollection<IAuthorizationPolicy>(new List<IAuthorizationPolicy>())' to prevent credential reuse. The vulnerability description directly attributes the issue to this cached policy handling during failed logins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pl**s* not* t*is **visory is *or * *istori**l pr**xistin* issu* in t** l****y s*rv*r *rom ****. It **s lon* sin** ***n tri****. It is **in* mov** **r* *or visi*ility. T** t*xt **low is *opi** *rom t** ori*in*l issu* #*** # You **n lo*in to t** s*rv*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* **il** *ut**nti**tion *tt*mpts in t** W** *ommuni**tion l*y*r. T** *riti**l lin* in `*ut**nti**tion*****r***o**r.*s` r*turn** t** *xistin* *ut*Poli*y *oll**tion (*ont*inin* ****** *r***nti*ls) inst*

8.4

Basic Information

Concerned about an active attack path?

CVE-2018-17107: tgstation-server cached user logins in legacy server

You can login to the server with any username/password combination if someone else is logged in

8.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-17107:
tgstation-server cached user logins in legacy server

Vulnerability Intelligence
Miggo AI