security: fix oobe-flow reuse when akadmin is deleted (#7361)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
2a47ff2977
commit
261879022d
|
@ -0,0 +1,34 @@
|
||||||
|
# Generated by Django 4.2.6 on 2023-10-28 14:24
|
||||||
|
|
||||||
|
from django.apps.registry import Apps
|
||||||
|
from django.db import migrations
|
||||||
|
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
|
||||||
|
|
||||||
|
|
||||||
|
def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
||||||
|
from guardian.shortcuts import get_anonymous_user
|
||||||
|
|
||||||
|
Flow = apps.get_model("authentik_flows", "Flow")
|
||||||
|
User = apps.get_model("authentik_core", "User")
|
||||||
|
|
||||||
|
db_alias = schema_editor.connection.alias
|
||||||
|
|
||||||
|
users = User.objects.using(db_alias).exclude(username="akadmin")
|
||||||
|
try:
|
||||||
|
users = users.exclude(pk=get_anonymous_user().pk)
|
||||||
|
# pylint: disable=broad-except
|
||||||
|
except Exception: # nosec
|
||||||
|
pass
|
||||||
|
|
||||||
|
if users.exists():
|
||||||
|
Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
dependencies = [
|
||||||
|
("authentik_flows", "0026_alter_flow_options"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RunPython(set_oobe_flow_authentication),
|
||||||
|
]
|
|
@ -85,6 +85,19 @@ entries:
|
||||||
identifiers:
|
identifiers:
|
||||||
name: default-oobe-password-usable
|
name: default-oobe-password-usable
|
||||||
model: authentik_policies_expression.expressionpolicy
|
model: authentik_policies_expression.expressionpolicy
|
||||||
|
- attrs:
|
||||||
|
expression: |
|
||||||
|
# This policy ensures that the setup flow can only be
|
||||||
|
# used one time
|
||||||
|
from authentik.flows.models import Flow, FlowAuthenticationRequirement
|
||||||
|
Flow.objects.filter(slug="initial-setup").update(
|
||||||
|
authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER,
|
||||||
|
)
|
||||||
|
return True
|
||||||
|
id: policy-default-oobe-flow-set-authentication
|
||||||
|
identifiers:
|
||||||
|
name: default-oobe-flow-set-authentication
|
||||||
|
model: authentik_policies_expression.expressionpolicy
|
||||||
- attrs:
|
- attrs:
|
||||||
fields:
|
fields:
|
||||||
- !KeyOf prompt-field-header
|
- !KeyOf prompt-field-header
|
||||||
|
@ -129,6 +142,7 @@ entries:
|
||||||
evaluate_on_plan: true
|
evaluate_on_plan: true
|
||||||
invalid_response_action: retry
|
invalid_response_action: retry
|
||||||
re_evaluate_policies: false
|
re_evaluate_policies: false
|
||||||
|
id: binding-login
|
||||||
identifiers:
|
identifiers:
|
||||||
order: 100
|
order: 100
|
||||||
stage: !KeyOf stage-default-authentication-login
|
stage: !KeyOf stage-default-authentication-login
|
||||||
|
@ -144,3 +158,8 @@ entries:
|
||||||
policy: !KeyOf policy-default-oobe-prefill-user
|
policy: !KeyOf policy-default-oobe-prefill-user
|
||||||
target: !KeyOf binding-password-write
|
target: !KeyOf binding-password-write
|
||||||
model: authentik_policies.policybinding
|
model: authentik_policies.policybinding
|
||||||
|
- identifiers:
|
||||||
|
order: 0
|
||||||
|
policy: !KeyOf policy-default-oobe-flow-set-authentication
|
||||||
|
target: !KeyOf binding-login
|
||||||
|
model: authentik_policies.policybinding
|
||||||
|
|
|
@ -42,9 +42,3 @@ entries:
|
||||||
user: !KeyOf admin-user
|
user: !KeyOf admin-user
|
||||||
attrs:
|
attrs:
|
||||||
key: !Context token
|
key: !Context token
|
||||||
- model: authentik_blueprints.blueprintinstance
|
|
||||||
identifiers:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
blueprints.goauthentik.io/system-bootstrap: "true"
|
|
||||||
state: absent
|
|
||||||
|
|
|
@ -127,6 +127,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
||||||
|
|
||||||
## Fixed in 2023.10.2
|
## Fixed in 2023.10.2
|
||||||
|
|
||||||
|
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||||
- blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
|
- blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
|
||||||
- crypto: fix race conditions when creating self-signed certificates on startup (#7344)
|
- crypto: fix race conditions when creating self-signed certificates on startup (#7344)
|
||||||
- lifecycle: rework otp_merge migration (#7359)
|
- lifecycle: rework otp_merge migration (#7359)
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
# GHSA-rjvp-29xq-f62w
|
||||||
|
|
||||||
|
_Reported by [@devSparkle](https://github.com/devSparkle)_
|
||||||
|
|
||||||
|
## Potential Installation takeover when default admin user is deleted
|
||||||
|
|
||||||
|
### Summary
|
||||||
|
|
||||||
|
In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication.
|
||||||
|
|
||||||
|
### Patches
|
||||||
|
|
||||||
|
authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used.
|
||||||
|
|
||||||
|
### Impact
|
||||||
|
|
||||||
|
authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again.
|
||||||
|
|
||||||
|
### Workarounds
|
||||||
|
|
||||||
|
Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
|
||||||
|
|
||||||
|
### For more information
|
||||||
|
|
||||||
|
If you have any questions or comments about this advisory:
|
||||||
|
|
||||||
|
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
|
@ -407,6 +407,7 @@ const docsSidebar = {
|
||||||
},
|
},
|
||||||
items: [
|
items: [
|
||||||
"security/policy",
|
"security/policy",
|
||||||
|
"security/GHSA-rjvp-29xq-f62w",
|
||||||
"security/CVE-2023-39522",
|
"security/CVE-2023-39522",
|
||||||
"security/CVE-2023-36456",
|
"security/CVE-2023-36456",
|
||||||
"security/2023-06-cure53",
|
"security/2023-06-cure53",
|
||||||
|
|
Reference in New Issue