security: fix oobe-flow reuse when akadmin is deleted (#7361)
Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # website/docs/releases/2023/v2023.10.md
This commit is contained in:
parent
aaa9b398f4
commit
ea75741ec2
|
@ -0,0 +1,25 @@
|
|||
# Generated by Django 4.2.6 on 2023-10-10 17:18
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name="flow",
|
||||
options={
|
||||
"permissions": [
|
||||
("export_flow", "Can export a Flow"),
|
||||
("inspect_flow", "Can inspect a Flow's execution"),
|
||||
("view_flow_cache", "View Flow's cache metrics"),
|
||||
("clear_flow_cache", "Clear Flow's cache metrics"),
|
||||
],
|
||||
"verbose_name": "Flow",
|
||||
"verbose_name_plural": "Flows",
|
||||
},
|
||||
),
|
||||
]
|
|
@ -0,0 +1,34 @@
|
|||
# Generated by Django 4.2.6 on 2023-10-28 14:24
|
||||
|
||||
from django.apps.registry import Apps
|
||||
from django.db import migrations
|
||||
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
|
||||
|
||||
|
||||
def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
||||
from guardian.shortcuts import get_anonymous_user
|
||||
|
||||
Flow = apps.get_model("authentik_flows", "Flow")
|
||||
User = apps.get_model("authentik_core", "User")
|
||||
|
||||
db_alias = schema_editor.connection.alias
|
||||
|
||||
users = User.objects.using(db_alias).exclude(username="akadmin")
|
||||
try:
|
||||
users = users.exclude(pk=get_anonymous_user().pk)
|
||||
# pylint: disable=broad-except
|
||||
except Exception: # nosec
|
||||
pass
|
||||
|
||||
if users.exists():
|
||||
Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
("authentik_flows", "0026_alter_flow_options"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.RunPython(set_oobe_flow_authentication),
|
||||
]
|
|
@ -85,6 +85,19 @@ entries:
|
|||
identifiers:
|
||||
name: default-oobe-password-usable
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
expression: |
|
||||
# This policy ensures that the setup flow can only be
|
||||
# used one time
|
||||
from authentik.flows.models import Flow, FlowAuthenticationRequirement
|
||||
Flow.objects.filter(slug="initial-setup").update(
|
||||
authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER,
|
||||
)
|
||||
return True
|
||||
id: policy-default-oobe-flow-set-authentication
|
||||
identifiers:
|
||||
name: default-oobe-flow-set-authentication
|
||||
model: authentik_policies_expression.expressionpolicy
|
||||
- attrs:
|
||||
fields:
|
||||
- !KeyOf prompt-field-header
|
||||
|
@ -129,6 +142,7 @@ entries:
|
|||
evaluate_on_plan: true
|
||||
invalid_response_action: retry
|
||||
re_evaluate_policies: false
|
||||
id: binding-login
|
||||
identifiers:
|
||||
order: 100
|
||||
stage: !KeyOf stage-default-authentication-login
|
||||
|
@ -144,3 +158,8 @@ entries:
|
|||
policy: !KeyOf policy-default-oobe-prefill-user
|
||||
target: !KeyOf binding-password-write
|
||||
model: authentik_policies.policybinding
|
||||
- identifiers:
|
||||
order: 0
|
||||
policy: !KeyOf policy-default-oobe-flow-set-authentication
|
||||
target: !KeyOf binding-login
|
||||
model: authentik_policies.policybinding
|
||||
|
|
|
@ -42,9 +42,3 @@ entries:
|
|||
user: !KeyOf admin-user
|
||||
attrs:
|
||||
key: !Context token
|
||||
- model: authentik_blueprints.blueprintinstance
|
||||
identifiers:
|
||||
metadata:
|
||||
labels:
|
||||
blueprints.goauthentik.io/system-bootstrap: "true"
|
||||
state: absent
|
||||
|
|
|
@ -155,6 +155,10 @@ image:
|
|||
- web: don't import entire SourceViewPage in flow and user interface (#6761)
|
||||
- web: replace ampersand (#6737)
|
||||
|
||||
## Fixed in 2023.8.4
|
||||
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
|
||||
## API Changes
|
||||
|
||||
#### What's New
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
# GHSA-rjvp-29xq-f62w
|
||||
|
||||
_Reported by [@devSparkle](https://github.com/devSparkle)_
|
||||
|
||||
## Potential Installation takeover when default admin user is deleted
|
||||
|
||||
### Summary
|
||||
|
||||
In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication.
|
||||
|
||||
### Patches
|
||||
|
||||
authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used.
|
||||
|
||||
### Impact
|
||||
|
||||
authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again.
|
||||
|
||||
### Workarounds
|
||||
|
||||
Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
|
||||
|
||||
### For more information
|
||||
|
||||
If you have any questions or comments about this advisory:
|
||||
|
||||
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)
|
|
@ -362,6 +362,7 @@ const docsSidebar = {
|
|||
},
|
||||
items: [
|
||||
"security/policy",
|
||||
"security/GHSA-rjvp-29xq-f62w",
|
||||
"security/CVE-2023-39522",
|
||||
"security/CVE-2023-36456",
|
||||
"security/2023-06-cure53",
|
||||
|
|
Reference in New Issue