Microsoft UFO Constellation Client Cross-Device Task-Result Injection Vulnerability

A vulnerability exists in the Microsoft UFO open-source framework, specifically in the constellation client's task response handling. In versions 3.0.1-4-ge2626659, the client tracks pending task responses using only session IDs, without verifying that a TASK_END message originated from the device that received the task. This flaw allows an authenticated peer device to send a forged TASK_END message, injecting attacker-controlled result data into the task completion process of a victim device.

Impact

Exploitation of this vulnerability allows an authenticated peer device to manipulate task completion results for another device, injecting false data and potentially disrupting automated processes that rely on accurate task outcomes. This could lead to incorrect orchestration results and interfere with subsequent automation decisions.

Reproduction

To reproduce this vulnerability, an authenticated peer device must send a forged TASK_END message to a victim device, using a session ID that corresponds to a pending task on the victim device. The constellation client will accept the forged message and complete the task for the victim device with the injected result data.