skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
German BSI Assesses Security Vulnerabilities in Vaultwarden

German BSI Assesses Security Vulnerabilities in Vaultwarden

/ 3 min read

stories , open-source software , cybersecurity , authentication bypass , vulnerability disclosure , vaultwarden

Quick take - In June 2024, the German Federal Office for Information Security (BSI) assessed the open-source password manager Vaultwarden, identifying significant vulnerabilities in its authentication processes, which were subsequently addressed through a series of fixes, while emphasizing the importance of a second factor of authentication and transparency in vulnerability disclosure.

Fast Facts

  • In June 2024, the German Federal Office for Information Security (BSI) assessed Vaultwarden, an open-source password manager, revealing significant vulnerabilities in its authentication processes.
  • Key issues included an unauthenticated login endpoint and a complex password function that allowed attackers to impersonate other users.
  • Initial fixes were implemented but were insufficient, leading to further corrections that required authentication requests to belong to the user attempting to log in.
  • Two additional vulnerabilities were identified: an email HTML injection and a self-cross-site scripting (XSS) vulnerability, both of which posed risks but were somewhat mitigated.
  • The Vaultwarden team was commended for their quick response, and requests for Common Vulnerabilities and Exposures (CVEs) were submitted, highlighting the importance of transparency in addressing security issues.

Vaultwarden Vulnerabilities Uncovered in BSI Assessment

In June 2024, the German Federal Office for Information Security (BSI) released the results of a comprehensive assessment of Vaultwarden, an open-source online password manager that serves as an alternative to Bitwarden. The evaluation included both static and dynamic testing of the Vaultwarden server component, along with a partial source code audit.

Key Findings

The assessment uncovered significant vulnerabilities related to authentication processes. Key findings revealed that the login endpoint was unauthenticated, potentially allowing unauthorized access. The password login function was found to be overly complex, permitting attackers to create authentication requests for one user and subsequently log in as another. Additionally, the endpoint responsible for creating authentication requests was also unauthenticated, further exposing the system to potential exploitation.

In response to these vulnerabilities, a fix was implemented that mandated the requestor to possess a device identifier linked to the authentication request. However, this initial patch did not adequately prevent authenticated attackers from using their own requests to log in as different users. A subsequent correction was made to ensure that authentication requests must belong to the user attempting to log in, effectively closing the avenue for unauthorized access. Notably, the vulnerability did not allow attackers to bypass the second factor of authentication, providing an additional layer of security.

Additional Vulnerabilities

Despite the potential for attackers to manipulate user data, the vulnerabilities did not enable decryption of key material without the original password, posing a significant risk for organizations. Attackers could potentially access higher-privileged accounts and all associated key material if they possessed the master key. Two additional vulnerabilities were identified during the assessment: an email HTML injection vulnerability and a self-cross-site scripting (XSS) vulnerability linked to username submissions. The email HTML injection could facilitate the manipulation of usernames in emergency access invites, while the self XSS vulnerability was mitigated by the content security policy, limiting its impact to the user submitting the username.

The importance of implementing a second factor of authentication was underscored as a crucial measure in mitigating such vulnerabilities. The Vaultwarden team was recognized for their prompt response to address these issues, although the initial fix was deemed insufficient.

Ongoing Efforts and Transparency

As of the publication date, requests for Common Vulnerabilities and Exposures (CVEs) had been submitted but not yet assigned. The customer involved in the penetration test authorized the disclosure of these vulnerability details to Vaultwarden, emphasizing the importance of transparency for community awareness. A timeline of events detailing assessments, disclosures, fixes, and retests spanned from October to November 2024, demonstrating ongoing efforts to enhance the security of the Vaultwarden system.

Original Source: Read the Full Article Here

Check out what's latest

Malicious JavaScript Targets Magento eCommerce Websites
Malicious JavaScript Targets Magento eCommerce Websites
KernelGPT Enhances Kernel Fuzzing for Vulnerability Detection
KernelGPT Enhances Kernel Fuzzing for Vulnerability Detection
AgentDojo Framework Assesses AI Agents' Adversarial Robustness
AgentDojo Framework Assesses AI Agents' Adversarial Robustness