Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time.
|February 04, 2021||NRPT-2021-001||Pod takeover from WebID impersonation|
|August 24, 2020||NRPT-2020-002||NSS Secret Key Disclosure|
|May 15, 2020||NRPT-2020-001||Authentication Token Capture-Replay|
Published: 2021 February 04 18:30 GMT
Last Update: 2021 February 04 18:30 GMT
Any user Pod on an NSS server (versions <= 5.3.1) can be taken over from the network by any other user if they create a new account on that same NSS, due to a flaw in the ‘bring your own WedID’ feature.
When a user registers a new account using the Advanced External WebId feature, an NSS server accepts any WebID with a solid:oidcIssuer in the associated profile document pointing to that same server.
A malicious user on any NSS service can take a WebID that already has a solid:oidcIssuer value pointing to that NSS service and create a new account in the “bring your own WebId” feature to target an existing WebID, and therefore take over access to a Pod owned by a targeted WebID.
Update NSS to remove the ‘bring your own WebId’ feature. This update is available in version 5.6.3.
Inrupt would like to thank Stijn Taelemans from Digita for reporting this vulnerability.
August 24, 2020 NRPT-2020-002: NSS Secret Key Disclosure
Published: 2020 Aug 24 15:20 GMT
Last Update: 2020 Aug 24 15:20 GMT
A secret key of the Node Solid Server (NSS) was exposed in a public configuration file, where it could be used to impersonate the server and access, modify or delete user data. After the server is patched, to rotate and protect its key, all users should rotate their passwords.
An Inrupt security review found the NSS secret key exposed to the public in an OIDC configuration file (CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere).
Any person on the Internet who viewed the NSS public OIDC configuration file could use the secret key material to impersonate the NSS server to issue tokens for user data with full read, modify or delete permissions.
The vulnerable version of NSS exposing the key material was published June 16th, 2020. A security review August 22, 2020 found the key, a patch was written August 23 and a new version of NSS was tested and upgraded August 24 with the release of this advisory.
The vulnerability affects NSS versions 5.3.0 or later. Inrupt Enterprise Solid Server is not affected.
Server patch for NSS
- Requires Node.js version 10 or greater
- Upgrade to version 5.5.1 released August 24, 2020 or a later version (https://github.com/solid/node-solid-server and https://www.npmjs.com/package/solid-server)
- Delete server file to force key rotation: provider.json
- Restart the server
User password reset
Everyone with a user account on NSS (i.e. anyone who has a Pod) should reset their password after the server has been upgraded to version 5.5.1 (https://inrupt.net/account/password/reset). It is a good safety practice to always maintain unique passwords between different accounts.
May 15, 2020 NRPT-2020-001: Authentication Token Capture-Replay
Published: 2020 May 15 16:00 GMT
Last Update: 2020 May 15 16:00 GMT
Resources that otherwise would not be accessible without proper authentication can be accessed by capturing and replaying a valid token.
A weakness was reported in the Solid Authentication Specification, requiring a change to the Solid authentication token. The current token, if captured, can be replayed (CWE-294: Authentication Bypass by Capture-replay).
The authentication panel put forward a proposal, which was approved after review and the Authentication Specification has been updated. The change brings a new safer token for the specification to address security concerns.
The following steps have been taken to help developers migrate ASAP to the safer token:
- A new client library named solid-auth-fetcher has been released to support the new token structure.
- A new version of an existing client library, named solid-auth-client 2.0, is available now to provide support for code delayed in migration to the safer token.
- Node Solid Server (NSS) has been updated to support the new safer token. NSS will maintain support for the existing token until further notice.
Inrupt.net will be upgraded to the latest version of NSS with its support for the new safer token, on the week of 05/25/2020.
Inrupt would like to thank Justin Richer, Bespoke Engineering for reporting this vulnerability.