CVE-2021-37705 in OneFuzz
Summary
by MITRE • 08/14/2021
OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/18/2021
The vulnerability CVE-2021-37705 affects the OneFuzz platform, an open-source Fuzzing-As-A-Service solution designed for security testing and vulnerability discovery. This authentication flaw represents a critical authorization bypass that undermines the security model of the platform, particularly when deployed with specific configuration parameters. The vulnerability stems from an incomplete authorization check that allows malicious actors to escalate privileges beyond their intended access boundaries, creating a significant risk to sensitive data and system integrity.
The technical flaw manifests in the platform's handling of authentication tokens when the --multi_tenant_domain option is enabled during deployment. This configuration parameter enables multi-tenant support but introduces a critical gap in the token validation process. Specifically, the platform fails to properly validate the token issuer against a configured allowlist, allowing authenticated users from any Azure Active Directory tenant to make authorized API calls. This represents a direct violation of the principle of least privilege and creates a pathway for unauthorized access to confidential information. The vulnerability is classified as a CWE-285: Improper Authorization, which falls under the broader category of access control vulnerabilities that can lead to privilege escalation.
The operational impact of this vulnerability extends far beyond simple unauthorized access. Attackers with compromised credentials from any tenant can gain read/write access to sensitive data including software vulnerability reports, crash information, security testing tools, proprietary code, and debugging symbols. This exposure creates a significant risk to organizations relying on OneFuzz for security testing, as it could lead to data breaches, intellectual property theft, and potential system compromise. The vulnerability also enables tampering with existing data and unauthorized code execution on Azure compute resources, representing a complete breakdown of the platform's security boundaries. According to ATT&CK framework, this vulnerability maps to T1078: Valid Accounts and T1566: Phishing, as it leverages legitimate authentication mechanisms to gain unauthorized access to resources.
The remediation for this vulnerability requires upgrading to OneFuzz version 2.31.0 or later, where application-level validation of the bearer token's issuer against an administrator-configured allowlist has been implemented. This fix addresses the root cause by ensuring that tokens are only accepted from trusted issuers, effectively closing the authorization gap. Organizations using vulnerable versions can implement a temporary workaround by redeploying the platform without the --multi_tenant_domain option, which restores the default single-tenant configuration and eliminates the vulnerability. However, this workaround requires careful consideration as it may impact legitimate multi-tenant use cases. The vulnerability highlights the importance of proper token validation and access control mechanisms in distributed systems, particularly those handling sensitive security data and providing access to cloud computing resources. Organizations should conduct thorough security assessments of their OneFuzz deployments to identify and remediate this vulnerability, ensuring that their security testing infrastructure maintains the integrity and confidentiality of the data it processes.