RELATE Courseware Predictable Token Generation Vulnerability

A vulnerability exists in the RELATE web-based courseware package, specifically in versions through 2024.1. The issue arises from predictable token generation in the 'make_sign_in_key' function within 'auth.py' and the 'gen_ticket_code' function in 'exam.py'. This vulnerability is rooted in the use of a non-cryptographic pseudorandom number generator (PRNG) for generating security-sensitive tokens, which could be exploited to predict future token values.

Impact

The vulnerability allows for the prediction of tokens used in password reset links, email-based sign-in, API authentication tokens, and exam ticket codes. This predictability could lead to account takeover by intercepting and using password reset tokens or unauthorized access to exams by predicting ticket codes.

Reproduction

The vulnerability can be reproduced by observing the output of the affected token generation functions. The 'make_sign_in_key' function can be called with a user object, and the 'gen_ticket_code' function can be called directly. Due to the nature of the Mersenne Twister PRNG, an attacker could predict future outputs after seeing enough generated tokens.

Remediation

The vulnerability has been patched in the RELATE courseware package. Users should update to the version that includes the commit 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb, which replaces the use of the non-cryptographic PRNG with 'secrets', a module designed for generating cryptographically secure tokens.