MISP OIDC Authentication Plugin Account Takeover Vulnerability

A vulnerability in MISP's OpenID Connect (OIDC) authentication plugin allows for automatic linking of an OIDC identity to an existing local user account, based on the email claim. This issue arises when the local account lacks a stored 'sub' value. In scenarios with insecure or untrusted Identity Provider (IdP) configurations, where email ownership is not verified, an attacker with a valid OIDC token could impersonate a victim by asserting their email address, leading to unauthorized access to the victim's account.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts, allowing attackers to take over accounts of users whose email addresses are linked to the OIDC token used in the attack.

Reproduction

To reproduce this vulnerability, enable the OIDC authentication plugin in MISP and configure it to allow email linking. This can be done by setting 'OidcAuth.allow_email_linking' to true. Next, ensure that the IdP used for authentication does not enforce email ownership verification. With this configuration, an attacker can use a valid OIDC token to link their identity to a local user account that shares the same email address, but where the 'sub' value is not set, thereby gaining access to that account.

Remediation

Users can disable the email linking feature by setting 'OidcAuth.allow_email_linking' to false. If the feature is enabled, it's recommended to ensure that the IdP verifies email ownership and to require that the 'email_verified' claim is true before linking OIDC identities to local accounts.