CVE-2020-14423: Convos 4.19 Generates a Predictable Secret

19/06/20 — sgo

Convos is an open source web based irc client.

While packaging convos for nixpkgs, we found that the application generated a predictable local_secret. This was caused by the following code:

my $secret = Mojo::Util::md5_sum(join ':', $self->core->home->to_string, $<, $(, $0);

The secret is derived from the:

  • Home directory of the application
  • Real UID of the process
  • Real GID of the process
  • Name of the executed program.

The local_secret will therefore be predictable when running under Docker, and easily guessable on other platforms.

Impact

A remote attacker can possibly use a derived secret to create invite links or reset passwords for existing users.

Vulnerable

Convos 4.19 and earlier are vulnerable.

Mitigation

Users should upgrade to Convos 4.20 or newer, and regenerate secrets for their installation.

Timeline

  • 2020-06-12: Vulnerability discovered, Vendor notified
  • 2020-06-14: Patch created by vendor
  • 2020-06-18: Version 4.20 released, CVE assigned.

References

Credits

Thanks to Jan Henning Thorsen for quickly fixing the vulnerability.

Vulnerability discovered by Stig Palmquist.