Soft Serve Authentication Bypass Vulnerability Allowing User Impersonation

A critical authentication bypass vulnerability has been identified in Soft Serve Git server versions 0.11.2 and prior. This vulnerability allows an attacker to impersonate any user, including administrators, by presenting the victim's public key during the SSH handshake, before authenticating with their own valid key. The issue arises because the user identity is retained in the session context during the 'offer' phase and is not properly cleared if the authentication attempt fails. As a result, an attacker can exploit this to gain unauthorized access and privileges.

Impact

Exploitation of this vulnerability allows for unauthorized user impersonation, including gaining administrative rights, by exploiting the SSH public key authentication process.

Reproduction

To reproduce this vulnerability, an attacker must first obtain the public key of a victim user, preferably an admin. The attacker then configures their SSH client to offer the victim's public key followed by their own valid key. During the SSH handshake, the server will accept the attacker's key while still retaining the context of the victim's key, allowing the attacker to impersonate the victim.

Remediation

Users are advised to upgrade to Soft Serve version 0.11.3, which addresses this vulnerability.