fosrl Pangolin Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in fosrl Pangolin versions through 1.6.2. This vulnerability allows attackers to access PIN-protected resources by exploiting an insecure default configuration in the authentication rate-limiting system. The flaw arises because the application does not apply the authentication-specific rate limits in the official installer, leaving endpoints vulnerable to brute-force attacks. Additionally, the vulnerability allows for bypassing two-factor authentication (2FA) by exploiting the same rate-limiting oversight.

Impact

Exploitation of this vulnerability allows for unauthorized access to resources protected by PIN authentication and the bypassing of two-factor authentication.

Reproduction

To reproduce this vulnerability, deploy fosrl Pangolin version 1.6.2 or earlier with the default installation settings. Once the application is running, access the endpoint that requires PIN authentication by posting a request to '/resource/{resourceId}/pincode' without a valid PIN. The absence of a dedicated rate limiter on this endpoint, combined with the reliance on a global limit of 500 requests per minute per IP and path, enables an attacker to guess PINs at a rate of 500 per minute, potentially compromising the authentication in about 33 hours. This method can be expedited by rotating IP addresses through a proxy.

Remediation

Users can update to fosrl Pangolin version 1.7.0 or later, where this vulnerability has been addressed.