OpenSIPS SQL Injection Vulnerability in auth_jwt Module Allows Authentication Bypass

A SQL injection vulnerability has been identified in the OpenSIPS authentication module for JSON Web Tokens (JWT), specifically in versions 3.1 prior to 3.6.4. The vulnerability arises in the jwt_db_authorize() function, where the module extracts the 'tag' claim from a JWT without verifying its signature. This unescaped value is then directly inserted into a SQL query. An attacker can exploit this by crafting a JWT with a malicious tag claim to manipulate the query results, bypassing JWT authentication and allowing impersonation of any user.

Impact

Exploitation of this vulnerability could lead to unauthorized access by bypassing JWT authentication, allowing attackers to impersonate legitimate users.

Reproduction

To reproduce this vulnerability, first ensure that OpenSIPS is running a version between 3.1 and 3.6.4 with the auth_jwt module enabled. The jwt_db_authorize() function will decode JWT tokens without verifying their signatures, allowing an attacker to inject SQL payloads through the 'tag' claim. This can be done by crafting a JWT that includes a malicious SQL injection payload in the tag claim, such as one that exploits the SQL query handling in the vulnerable function.

Remediation

Users can upgrade to OpenSIPS version 3.6.4 or later, where this vulnerability has been fixed.