Acegi Misconfiguration: Run-As Authentication Replacement

Java/JSP

Abstract

在 Acegi 中使用 Run-As Authentication 的替代功能可能會導致權限擴大的弱點。

Explanation

Acegi Security 允許在安全物件收回 (callback) 階段暫時替換 SecurityContext 中的 Authentication 物件。僅當 AuthenticationManager 和 AccessDecisionManager 成功處理原始 Authentication 物件時，此情形才會發生。RunAsManager 會建立此項 Authentication 物件。
通常開發人員會使用 RunAsManager，在方法叫用期間內替驗證的使用者設定一個或多個額外角色。這對須要存取遠端應用程式的安全 bean 很有幫助。由於遠端應用程式可能會要求不同的憑證，因此這可讓呼叫角色與遠端應用程式所需的角色之間進行轉譯，進而使遠端存取成功。系統將完全接受新的 Authentication 物件 (稱為 RunAsUserToken) 做為有效的 Authentication 物件，而不需任何進一步的 Authentication 或授權檢查。
將新的角色或權限新增至新的 Authentication 物件，可能會暫時提升使用者的權限，讓使用者進行未授權的行動。
以下組態顯示使用 RunAsManager，將「UBER_BOSS」角色新增至角色為「ROLE_PEON」的使用者，因此暫時將該名使用者提昇至管理員權限，這會讓所有未賦予權限的使用者取得 PrivateCatalog 的資料。


<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
...
 <property name="objectDefinitionSource">
   <value>
     com.example.service.PrivateCatalog.getData=ROLE_PEON,RUN_AS_UBER_BOSS
...
   </value>
 </property>
</bean>

References

[1] Ben Alex Acegi Security - Run-As Authentication Replacement

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 724

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity

[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II

[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[46] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.acegi_misconfiguration_run_as_authentication_replacement