Hard-Coded Key Used For Remember-me Token in Opencast

Impact

The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:

<sec:remember-me key="opencast" user-service-ref="userDetailsService" />

This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.

Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.

Patches

This problem is fixed in Opencast 7.6 and Opencast 8.1

Workarounds

We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:

<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />

References

• Relevant lines in the security configuration
• Spring Security Remember-Me Authentication Documentation

For more information

If you have any questions or comments about this advisory:

• Open an issue in opencast/opencast
• For security-relevant information, email us at [email protected]

Thanks

Thanks to @LukasKalbertodt for reporting the issue.