ZITADEL, Session Fixation, CVE-2023-XXXX (Critical)

How the CVE Works

The vulnerability in ZITADEL’s Session API allows attackers to exploit IdP (Identity Provider) intents. After a successful authentication, the system sends an `id` and `token` to a predefined URI. An attacker with access to this URI can repeatedly reuse these credentials to hijack user sessions. Since the tokens remain valid until expiration or revocation, session fixation occurs, enabling unauthorized authentication. Multi-Factor Authentication (MFA) mitigates full exploitation but does not eliminate the session hijack risk.

DailyCVE Form

Platform: ZITADEL
Version: <3.0.0, <2.71.9, <2.70.10
Vulnerability: Session Fixation
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Token Capture: Intercept `id` and `token` via MITM or URI access.

   tcpdump -i eth0 'port 443' -w session_dump.pcap
   

2. Session Reuse: Authenticate using stolen tokens:

POST /session/authenticate HTTP/1.1
Host: target.zitadel
{"id":"stolen_id","token":"stolen_token"}

Protection:

1. Patch Immediately:

docker pull zitadel/zitadel:3.0.0

2. Enable MFA:

UPDATE security_settings SET enforce_mfa = TRUE;

3. Token Invalidation:

func RevokeToken(token string) error {
db.Delete("sessions", "token = ?", token)
}

Detection:

• Log Analysis:

  grep "repeated_intent" /var/log/zitadel/access.log
  

• Rate Limiting:

  limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s;
  

Mitigations:

• Shorten Token TTL:

  config.yaml
  session:
  token_expiry: 300s
  

• HTTPS Enforcement:

  <VirtualHost :80>
  Redirect permanent / https://zitadel.example.com/
  </VirtualHost>
  

References:

• ZITADEL Session API Docs
• CVE Database Entry

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram