CVE-2020-14423: Convos 4.19 Generates a Predictable Secret
Convos is an open source web based irc client.
While packaging convos for nixpkgs, we found that the application generated a predictable local_secret. This was caused by the following code:
my $secret = Mojo::Util::md5_sum(join ':', $self->core->home->to_string, $<, $(, $0);
The secret is derived from the:
- Home directory of the application
- Real UID of the process
- Real GID of the process
- Name of the executed program.
The local_secret will therefore be predictable when running under Docker, and
easily guessable on other platforms.
Impact
A remote attacker can possibly use a derived secret to create invite links or reset passwords for existing users.
Vulnerable
Convos 4.19 and earlier are vulnerable.
Mitigation
Users should upgrade to Convos 4.20 or newer, and regenerate secrets for their installation.
Timeline
- 2020-06-12: Vulnerability discovered, Vendor notified
- 2020-06-14: Patch created by vendor
- 2020-06-18: Version 4.20 released, CVE assigned.
References
- https://convos.chat/blog/2020/6/18/local-secret-got-more-secure
- https://github.com/Nordaaker/convos/commit/54d1763ac65c05aad27ad454b4e5a62ba8352d39
- https://convos.chat
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14423
Credits
Thanks to Jan Henning Thorsen for quickly fixing the vulnerability.
Vulnerability discovered by Stig Palmquist.