Obsidian Scheduler REST API Multi-Factor Authentication Bypass Vulnerability

A vulnerability exists in Obsidian Scheduler's REST API versions 5.0.0 through 6.3.0, allowing accounts locked out for not enrolling in multi-factor authentication (MFA) to authenticate using Basic Authentication and perform administrative actions. This issue arises from inconsistent authentication enforcement, enabling access to locked accounts via the REST API while the web interface denies it. Exploiting this flaw can lead to unauthorized administrative access and the creation of privileged users, bypassing MFA protections.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, including the ability to create privileged users. With such access, an attacker could potentially execute remote code through the application's built-in job scheduling feature.

Reproduction

The vulnerability can be reproduced by logging into an Obsidian Scheduler account that has been locked out due to MFA non-enrollment, using the default admin credentials. Once logged in through the REST API, administrative actions can be performed, such as creating a new admin user. Afterward, the built-in 'PythonJob' can be used to execute a reverse shell payload on the server.

Remediation

Users are advised to update Obsidian Scheduler to version 6.3.1. If an immediate upgrade is not possible, consider running Obsidian Scheduler as a standalone or embedded service, disabling REST endpoints via the 'web.xml' configuration file, or invalidating passwords for users without MFA enabled.