CVE-2024-1900 in Server
Summary
by MITRE • 03/06/2024
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.
The user will stay authenticated until the Devolutions Server token expiration.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/01/2024
This vulnerability represents a critical session management flaw in Devolutions Server authentication flows that directly impacts identity provider integration security. The issue occurs when users authenticate through external identity providers such as Okta or Microsoft O365, where the server fails to properly validate session state against the upstream identity provider. When a user's account is disabled or deleted in the identity provider, the Devolutions Server continues to maintain the user's authenticated session until the token expiration period lapses, creating a persistent security risk. This misconfiguration violates fundamental principles of secure session management and authentication validation that are essential for maintaining proper access controls.
The technical root cause stems from inadequate session validation mechanisms within the Devolutions Server authentication pipeline. The system does not implement proper session revocation checks when users are removed from the identity provider, nor does it perform real-time validation of user authentication status. This vulnerability aligns with CWE-613, which addresses insufficient session expiration, and CWE-306, which covers missing authentication checks. The flaw essentially creates a window of opportunity where compromised or unauthorized users can maintain access to systems beyond their legitimate authorization period, as the server relies on token expiration rather than active validation of user status.
The operational impact of this vulnerability is significant for organizations relying on Devolutions Server for identity management and access control. Attackers who gain access to valid session tokens can potentially maintain persistent access even after legitimate users are removed from the identity provider, effectively bypassing account deactivation procedures. This creates a substantial risk for privilege escalation attacks and persistent access violations, particularly in environments where rapid user account management is critical. The vulnerability directly conflicts with the principle of least privilege and undermines the security posture of organizations that depend on external identity providers for user authentication.
Organizations should implement immediate mitigations including reducing token expiration periods, implementing more frequent session validation checks, and establishing automated processes to revoke sessions when user accounts are disabled or deleted in the identity provider. The recommended approach involves configuring Devolutions Server to perform periodic validation against the identity provider for active user status, implementing immediate session invalidation upon account changes, and establishing monitoring procedures to detect unauthorized persistent access. This vulnerability also highlights the importance of following ATT&CK framework techniques related to privilege escalation and persistence, as attackers could exploit this flaw to maintain long-term access to systems. Organizations should also consider implementing additional security controls such as multi-factor authentication and continuous monitoring of authentication events to detect and respond to unauthorized access attempts.