Microsoft UFO WebSocket Response Hijacking Vulnerability

A vulnerability in the Microsoft UFO open-source framework, specifically in version 3.0.1-4-ge2626659, allows for cross-client response hijacking over WebSocket connections. The issue arises because a single instance of 'UFOWebSocketHandler' is shared among multiple authenticated WebSocket connections. This shared handler stores connection-specific protocol objects in mutable instance fields, which can be overwritten by new connections. As a result, the most recently connected client can receive protocol responses intended for another client, leading to unauthorized access to device information and task acknowledgments.

Impact

Exploitation of this vulnerability causes cross-client response confusion, where an authenticated client receives responses meant for another client. This includes leakage of device information, misdelivery of task and heartbeat acknowledgments, and general session confusion in multi-client deployments. The vulnerability disrupts orchestration across multiple devices and accidentally discloses peer device metadata, such as system information and hostnames.

Reproduction

To reproduce this vulnerability, connect multiple WebSocket clients to the UFO server using a shared server token. The first client should request device information or send a task acknowledgment. When a second client connects, it will receive the first client's device information response or task acknowledgment, demonstrating the cross-client response hijacking.