OpenNebula FireEdge Race Condition Vulnerability Leading to Account Takeover

A critical race condition vulnerability has been identified in the FireEdge component of OpenNebula. This issue is present in the Community Edition (CE) versions prior to 7.0.0 and in the Enterprise Edition (EE) versions prior to 6.10.3. The vulnerability allows an unauthenticated attacker to exploit the login process by brute-forcing credentials. Due to the race condition in how requests are handled, the attacker can intercept a valid JSON Web Token (JWT) from a legitimate user during their login attempt, leading to unauthorized access to the user's account.

Impact

Exploitation of this vulnerability allows for full account takeover by hijacking the JSON Web Token (JWT) of a legitimate user, granting access to their account.

Reproduction

The vulnerability can be reproduced by using a brute-force attack on the login process with random credentials. When a legitimate user logs in, the race condition allows the attacker to capture the user's JWT. This can be automated with a script that performs the brute-force attack and intercepts the JWT.

Remediation

Users can upgrade to OpenNebula Community Edition 7.0.0 or OpenNebula Enterprise Edition 6.10.3 to address this vulnerability.