Executive Summary

CVE-2023-53943 is a username enumeration vulnerability in GLPI version 9.5.7. It exists in the lost password recovery mechanism, where attackers can submit password reset requests with different email addresses and analyze the responses to determine which email addresses correspond to valid user accounts. This allows attackers to systematically validate email addresses by observing differences in server responses, facilitating further targeted attacks. [1, 3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to enumerate valid email addresses of users by exploiting the password recovery mechanism, which could lead to unauthorized disclosure of user information. Such exposure of personal data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal identifiable information (PII) and ensuring confidentiality. Therefore, the vulnerability could increase the risk of non-compliance by facilitating targeted attacks or data breaches involving user email addresses. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to confirm valid user email addresses in the GLPI system without authentication or user interaction. By enumerating valid usernames, attackers can facilitate targeted attacks such as phishing, social engineering, or brute force attempts against known accounts. Although the impact on confidentiality is low, it increases the risk of further exploitation by revealing valid user information. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the lostpassword.php endpoint of the GLPI application and analyzing the responses for differences that indicate valid email addresses. A practical method involves first making a GET request to retrieve the CSRF token and session cookie, then sending POST requests with different email addresses as the 'email' parameter along with the CSRF token and session cookie. After each POST request, a new GET request refreshes the CSRF token and session cookie. If the response contains the message 'An email has been sent to your email address.The email contains information for reset your password.', it indicates a valid email. Commands can be scripted using curl or similar tools to automate this process, for example: 1) curl -c cookies.txt -s 'https://target/glpi/front/lostpassword.php' to get CSRF token and cookies; 2) curl -b cookies.txt -c cookies.txt -d '[email protected]&_glpi_csrf_token=TOKEN' -X POST 'https://target/glpi/front/lostpassword.php' to test an email; 3) parse the response for the success message. This process can be repeated for multiple emails to enumerate valid users. [3]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the username enumeration vulnerability in GLPI 9.5.7, immediate steps include restricting access to the lost password recovery endpoint, implementing rate limiting to prevent automated enumeration attempts, and monitoring for suspicious activity related to password reset requests. Additionally, applying any available patches or updates from GLPI that address this issue is recommended. If no patch is available yet, consider customizing the password reset responses to avoid revealing whether an email address is valid or not. [1, 3]

Useful 0 Not Useful 0