Executive Summary

This vulnerability affects Authelia versions 4.38.0 through 4.39.19, an open-source authentication and authorization server. When a user authenticates using Basic Auth on the authorization verification endpoint, Authelia takes the username directly from the Authorization header and uses it for ban checking and attempt recording.

The issue arises because LDAP treats usernames case insensitively (e.g., 'john', 'John', and 'JOHN' are considered the same user), but the regulation SQL queries in Authelia treat these usernames case sensitively in some scenarios. This discrepancy allows different case variations of the same username to have separate ban buckets, effectively bypassing ban enforcement.

The vulnerability can be mitigated by upgrading to Authelia version 4.39.20 or later, or by disabling the Basic Auth mechanism as a workaround.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass ban enforcement mechanisms by using different case variations of a username. Since each case variation is treated as a separate entity in the ban system, an attacker can continue attempts without being effectively banned.

This could lead to increased risk of brute force or credential stuffing attacks, as the regulation system's attempt recording and ban enforcement can be circumvented.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Authelia to version 4.39.20 or later where the patch is applied.

As a workaround before upgrading, explicitly disable the Basic Auth mechanism to prevent exploitation of the case sensitivity issue in ban buckets.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows different case variations of the same username to be treated as separate entities in the ban system due to case sensitivity differences between LDAP and SQL queries. This could potentially lead to inconsistent enforcement of bans or access restrictions.

However, there is no explicit information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the handling of Basic Auth usernames in Authelia versions 4.38.0 through 4.39.19, where case variations of usernames are treated separately in ban checking. Detection would involve identifying if your Authelia deployment is within these vulnerable versions and if Basic Auth is enabled on the authorization verification endpoint.

To detect attempts exploiting this issue on your network or system, you can monitor HTTP requests to the authz verification endpoint that use the Authorization header with the Basic scheme and check for multiple case variations of the same username.

Example commands to help detect this might include:

• Using tcpdump or tshark to capture HTTP traffic and filter for Authorization headers with Basic scheme.
• Using grep or similar tools on web server or proxy logs to find Authorization headers containing Basic authentication and analyze username case variations.
• Example grep command on logs: grep -i 'Authorization: Basic' /path/to/log | cut -d' ' -f3 | base64 --decode | cut -d':' -f1 | sort | uniq -c
• This command extracts the username part from Basic Auth headers, decodes it, and counts occurrences, which can help identify multiple case variations of the same username.

Additionally, verify your Authelia version and configuration to confirm if Basic Auth is enabled on the authz verification endpoint.

Useful 0 Not Useful 0