CVE-2023-44039 in VeridiumID
Summary
by MITRE • 04/03/2024
In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker (who can pass enrollment verifications and is allowed to enroll a FIDO key) to register their FIDO authenticator to a victim’s account and consequently take over the account.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/22/2024
The vulnerability identified as CVE-2023-44039 affects VeridiumID versions prior to 3.5.0 and represents a critical authentication bypass flaw within the WebAuthn implementation. This vulnerability stems from insufficient validation of the enrollment process, allowing malicious actors with internal access to manipulate the FIDO authenticator registration mechanism. The flaw specifically targets the WebAuthn API's handling of credential enrollment, creating a pathway for unauthorized account takeover through compromised FIDO key registration.
The technical implementation flaw lies in the lack of proper authorization checks during the WebAuthn credential enrollment phase. An attacker who has already gained access to the system and can pass initial enrollment verifications can exploit this weakness to register their own FIDO authenticator to a victim's account. This represents a significant deviation from proper authentication flow where the system should verify that the entity requesting enrollment is indeed the legitimate account owner. The vulnerability enables a form of credential hijacking where the attacker essentially steals the victim's authentication capability by replacing their legitimate FIDO credentials with malicious ones.
This vulnerability has severe operational implications for organizations relying on VeridiumID for multi-factor authentication. The attack vector requires only internal access and the ability to pass initial enrollment checks, making it particularly dangerous in environments where internal threat actors exist. Once successful, the attacker gains full account control without needing additional credentials or complex attack chains. The impact extends beyond individual account compromise to potentially enable broader lateral movement within the network, especially if the compromised accounts have elevated privileges. This aligns with ATT&CK technique T1566.002 for credential access through phishing and T1531 for account access removal, though the specific vector here is internal credential manipulation rather than external exploitation.
The root cause of this vulnerability maps to CWE-862, which describes inadequate authorization checks in authentication systems. The flaw demonstrates a failure in the principle of least privilege during credential enrollment, where the system does not properly validate that the entity requesting enrollment has legitimate rights to register credentials for the target account. Organizations should implement immediate mitigations including updating to VeridiumID 3.5.0 or later, which contains the necessary fixes for proper enrollment validation. Additionally, network segmentation and monitoring of enrollment activities can help detect suspicious credential registration patterns. Security teams should also conduct thorough audits of existing FIDO credentials to identify any potential unauthorized registrations that may have already occurred. The remediation approach should include strengthening authentication flow controls and implementing proper session management to prevent unauthorized credential replacement during active enrollment processes.