CVE-2021-32753 : Security Advisory and Response
Learn about CVE-2021-32753, a high-severity vulnerability in EdgeX Foundry Edinburgh, Fuji, Geneva, and Hanoi releases. Understand the impact, technical details, and mitigation strategies.
This article delves into the details of CVE-2021-32753, a vulnerability in EdgeX Foundry affecting Edinburgh, Fuji, Geneva, and Hanoi releases, allowing remote attackers to obtain authentication tokens via a dictionary-based password attack.
Understanding CVE-2021-32753
This section provides insights into the nature of the vulnerability, its impact, technical details, and mitigation strategies.
What is CVE-2021-32753?
CVE-2021-32753 refers to a weak password vulnerability in the EdgeX Foundry software, specifically in the Edinburgh, Fuji, Geneva, and Hanoi releases. The vulnerability arises when the OAuth2 authentication method is enabled in the EdgeX API gateway.
The Impact of CVE-2021-32753
The vulnerability poses a high-severity risk, allowing remote network attackers to obtain an OAuth2 authentication token via a dictionary-based password attack. This enables unauthorized access to EdgeX microservices from untrusted networks, compromising system integrity and confidentiality.
Technical Details of CVE-2021-32753
This section outlines key technical aspects of the CVE, including vulnerability description, affected systems and versions, and the exploitation mechanism.
Vulnerability Description
The vulnerability arises due to a misconfiguration in the OAuth2 authentication setup of the EdgeX API gateway. When a proxy user is created, the client_id and client_secret for OAuth2 authentication are incorrectly set, enabling attackers to exploit this flaw.
Affected Systems and Versions
EdgeX Foundry versions impacted include Edinburgh, Fuji, Geneva, and Hanoi releases. Users utilizing the OAuth2 authentication method in these versions are at risk.
Exploitation Mechanism
Remote attackers can perform dictionary-based password attacks on the OAuth2 token endpoint of the API gateway to obtain authentication tokens. Subsequently, attackers can make authenticated calls to EdgeX microservices, bypassing security measures.
Mitigation and Prevention
This section provides guidance on immediate steps to take to secure systems, along with long-term security practices and the importance of patching and updates.
Immediate Steps to Take
To mitigate the vulnerability, users are advised to upgrade to the EdgeX Ireland release, where the OAuth2 authentication method is disabled. Alternatively, users can create OAuth2 users directly using the Kong admin API if unable to upgrade.
Long-Term Security Practices
In the long term, it is essential to follow secure authentication practices, implement strong password policies, and regularly review and update security configurations to prevent similar vulnerabilities.
Patching and Updates
Regularly applying security patches and updates is crucial to address known vulnerabilities and enhance the overall security posture of the EdgeX Foundry software.