OpenAEV Password Reset Token Management Vulnerability Allows Unauthenticated Account Takeover

A vulnerability in OpenAEV's password reset mechanism enables unauthenticated users to reset passwords for any registered account, leading to full account compromise. This issue affects OpenAEV versions 1.0.0 prior to 2.0.13. The vulnerability arises because password reset tokens do not expire and are only 8 digits long, allowing attackers to generate and reuse tokens to reset passwords without authentication. Exploitation can be automated, and once a password is reset, the attacker can log in as the victim.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to reset the password of any user account, including those of administrators, and gain unauthorized access to the platform. This access includes the ability to view sensitive data, such as simulation findings, and to modify payloads for deployed agents, potentially compromising all hosts with those agents installed.

Reproduction

To reproduce this vulnerability, first generate valid password reset tokens by sending requests to the password reset endpoint. This can be done by using a script that automates the process of requesting password reset codes for a registered email address. Once a sufficient number of tokens have been generated, they can be brute-forced to find a valid token that can be used to reset the password of the target account. After the password has been reset, log in using the new credentials to complete the account takeover.

Remediation

Users are advised to upgrade to OpenAEV version 2.0.13, where this vulnerability has been fixed.