OpenC3 COSMOS Password Change Vulnerability Allows Account Hijacking

A vulnerability in OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3 allows users to change their passwords without providing the old password, instead using a valid session token. This flaw can be exploited by an attacker who has obtained a valid session token to hijack an account, including admin accounts, and prevent legitimate users from accessing it. The issue arises from a design flaw in the authentication model, where session tokens and passwords are interchangeable for authentication purposes. After a password change, the old token remains valid, allowing continued access to the compromised account.

Impact

Exploitation of this vulnerability allows an attacker to maintain control over a hijacked account, including admin accounts, and disrupt access for legitimate users.

Reproduction

To reproduce this vulnerability, an attacker must first obtain a valid session token from a user account. Once in possession of the token, the attacker can initiate a password change request by sending the token as the 'old_password' parameter, bypassing the need for the actual old password. This action can be performed using a web proxy tool like Burp Suite to intercept and modify the password change request.

Remediation

Users should upgrade to OpenC3 COSMOS versions 6.10.5 or 7.0.0-rc3.