Shearwater SecurEnvoy SecurAccess Enrol Race Condition Vulnerability Allowing Authentication Bypass

A race condition vulnerability has been identified in Shearwater SecurEnvoy SecurAccess Enrol versions prior to 9.4.515. This vulnerability allows an attacker to bypass the multi-factor authentication (MFA) process by exploiting the application's handling of concurrent authentication attempts. Instead of properly counting and processing failed login attempts, the application mishandles simultaneous requests, leading to a significant undercount of authentication failures. As a result, accounts that should be disabled after 10 failed attempts remain active, while attackers can exploit the flaw to gain unauthorized access to user accounts by manipulating the authentication process.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts by bypassing the multi-factor authentication requirement. This could lead to unauthorized changes in user authentication data, such as modifying TOTP (Time-based One-Time Password) settings or passwords. Additionally, according to the SecurEnvoy release notes, this vulnerability could be exploited to access unmanaged user accounts.

Reproduction

The vulnerability can be reproduced by sending simultaneous authentication requests to the SecurAccess Enrol application. This can be done using a tool like Burp Suite Turbo Intruder, which can automate the process of sending multiple requests at once. By timing the requests to arrive at the server simultaneously, it's possible to exploit the race condition and bypass the authentication process. The application will only register a fraction of the failed attempts, allowing for repeated tries without triggering the account lockout mechanism.

Remediation

Users are advised to update to SecurEnvoy SecurAccess Enrol version 9.4.515, which addresses this vulnerability.