CVE-2019-10907
📋 TL;DR
Airsonic 10.2.1 uses Spring's default remember-me authentication with a fixed MD5 key, allowing attackers who capture authentication cookies to offline brute-force user passwords. This affects all Airsonic instances running the vulnerable version with remember-me functionality enabled. The vulnerability stems from using weak cryptographic primitives with predictable keys.
💻 Affected Systems
- Airsonic
📦 What is this software?
Airsonic by Airsonic Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the Airsonic server, potentially compromising the entire system and accessing sensitive media files and user data.
Likely Case
Attackers compromise user accounts to access personal media libraries and potentially escalate privileges within the Airsonic application.
If Mitigated
Attackers capture cookies but cannot efficiently crack passwords due to proper cryptographic controls, limiting impact to session hijacking only.
🎯 Exploit Status
Exploitation requires capturing authentication cookies first, but the password cracking process itself is trivial due to weak cryptography.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 3e07ea52885f88d3fbec444dfd592f27bfb65647 and later versions
Vendor Advisory: https://github.com/airsonic/airsonic/commit/3e07ea52885f88d3fbec444dfd592f27bfb65647
Restart Required: Yes
Instructions:
1. Update Airsonic to version after commit 3e07ea52885f88d3fbec444dfd592f27bfb65647. 2. Restart the Airsonic service. 3. Invalidate all existing remember-me tokens by having users log out and back in.
🔧 Temporary Workarounds
Disable remember-me functionality
allTemporarily disable Spring's remember-me authentication feature to prevent cookie capture attacks
Edit GlobalSecurityConfig.java to remove or comment out remember-me configuration
Set spring.security.remember-me.enabled=false in application properties
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Airsonic instances
- Enable HTTPS with HSTS to protect authentication cookies from capture
🔍 How to Verify
Check if Vulnerable:
Check GlobalSecurityConfig.java for the fixed key 'airsonic' in remember-me configuration and MD5 usageCheck Version:
Check Airsonic web interface or application logs for version informationVerify Fix Applied:
Verify the commit 3e07ea52885f88d3fbec444dfd592f27bfb65647 is included in your Airsonic version📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from single IP
- Unusual remember-me token usage patterns
Network Indicators:
- Unencrypted authentication cookie transmission
- Brute-force attempts against authentication endpoints
SIEM Query:
source="airsonic" AND (event="authentication_failure" OR event="cookie_theft")