CVE-2020-28597
A predictable seed vulnerability eixsts in the password reset functionality of Epignosis EfrontPro 5.2.21. By predicting the seed it is possible to generate the correct password reset 1-time token. An attacker can visit the password reset supplying the password reset token to reset the password of an account of their choice.
Epignosis eFront LMS 5.2.17
Epignosis eFront LMS 5.2.21
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)
The password reset functionality can be accessed at:
http[s]://[DOMAIN]/start/op/password_change/user/[USER_ID]/code/[HASH]
This functionality has a hash generation process that is based directly on the system time, and the login name, which could be the email address. As an attacker you can use the password reset function for a known user to get the system to update the “reset_password_timestamp” to be known (.inc error margin). Knowing this and the user they are targeting they can then calculate the hash and reset the password for the account. The only unknown is the numeric user_id, but these are sequential starting at 0, so this could be brute forced. There does not appear to be a lockout on this function, so a brute force would be possible. There is ID enumeration on this function too, so the user_id keyspace can be verified before starting.
The code that generates the token has to verify it against the one submitted buy the attacker. The ‘reset_password_timestamp’ can be set by the attacker by using the system password reset functionality.
md5($this->reset_password_timestamp.$this->login);
2020-12-21 - Vendor Disclosure
2021-02-02 - Vendor Patched
2021-03-03 - Public Release
Discovered by Richard Dean, Cisco CX Security Advisory EMEAR