CVE-2018-11047 in Cloud Foundry UAA
Summary
by MITRE
Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2020
The vulnerability identified as CVE-2018-11047 affects Cloud Foundry User Account and Authentication (UAA) systems across multiple version ranges including 4.19.x prior to 4.19.2, 4.12.x prior to 4.12.4, 4.10.x prior to 4.10.2, 4.7.x prior to 4.7.6, and 4.5.x prior to 4.5.7. This represents a critical authorization flaw that fundamentally undermines the security model of the UAA system by allowing unauthorized access to administrative endpoints through improper token validation mechanisms. The vulnerability stems from the incorrect implementation of authentication checks where the system accepts refresh tokens as valid substitutes for access tokens when accessing sensitive administrative resources.
The technical flaw manifests in the UAA's authorization logic where it fails to properly distinguish between access tokens and refresh tokens when processing requests to administrative endpoints such as /Users, /Groups, and related management interfaces. According to CWE-285, this constitutes an authorization bypass vulnerability where the system grants elevated privileges based on insufficient authentication verification. The flaw specifically affects the token validation process by allowing refresh tokens to be accepted in contexts where access tokens should be required, creating a window of opportunity for attackers to maintain prolonged access to administrative functions beyond normal expiration times.
Operational impact of this vulnerability extends beyond simple access control breaches as it enables attackers to perform administrative actions including user management, group modifications, and potentially system-wide configuration changes. The security implications are particularly severe because refresh tokens are designed to have longer lifespans than access tokens, meaning that if an attacker can obtain a valid refresh token, they can maintain access for extended periods. This vulnerability directly maps to ATT&CK technique T1078.004 which covers legitimate credentials in cloud environments, as attackers can leverage refresh tokens to persist in compromised systems. The attack vector becomes particularly dangerous when considering that refresh tokens remain valid even if the underlying user account is deleted or group memberships are altered, though the system does implement some protections against stale tokens.
The vulnerability's severity is amplified by the fact that administrators often grant refresh tokens to applications and services that require extended access periods, making these tokens potentially accessible to attackers through various exploitation vectors. The UAA system's improper handling of token validation creates a persistent security gap where attackers can maintain administrative privileges indefinitely, especially when the refresh tokens have not yet expired. This flaw essentially allows attackers to perform unauthorized administrative actions such as creating new users, modifying existing accounts, managing group memberships, and potentially accessing sensitive system configurations. The vulnerability demonstrates a fundamental breakdown in the principle of least privilege and proper access control enforcement that could lead to complete system compromise if exploited by malicious actors.
Organizations should immediately implement mitigations including upgrading to patched versions of Cloud Foundry UAA, implementing additional monitoring for administrative endpoint access, and conducting comprehensive token lifecycle management reviews. The remediation process should include validating all refresh token usage patterns and ensuring that administrative access controls properly distinguish between access tokens and refresh tokens. Security teams should also implement network segmentation and additional authentication layers to limit the impact of potential token compromise, while monitoring for unusual administrative access patterns that could indicate exploitation of this vulnerability.