Oxide Control Plane API Token Renewal Vulnerability

A vulnerability exists in the Oxide control plane versions 15 through 17 prior to 17.1, allowing API tokens to be renewed beyond their original expiration date. This issue arises because tokens can be generated from existing ones, extending access to the Oxide API, potentially indefinitely. The vulnerability could be exploited by an authorized user or an attacker who has already compromised a token.

Impact

Exploitation of this vulnerability allows for unauthorized extension of API token lifetimes, bypassing set expiration limits. This could lead to prolonged access to the Oxide API with the privileges associated with the original token.

Reproduction

To reproduce this vulnerability, first obtain a valid Oxide API token. Then, use this token to request a renewal through the device authorization process. If the requested expiration exceeds the original token's limit, the request will still be processed, effectively extending the token's life. This can be done via the Oxide API endpoint for token management, using a session authenticated with the original token.

Remediation

Users should update to Oxide control plane version 17.1, which restores proper expiration limits by capping the maximum token life to that of the token used for renewal. After updating, it's recommended to review all existing tokens via the Oxide API.