CVE-2020-25105
📋 TL;DR
This vulnerability allows attackers to bypass password reset mechanisms in eramba by brute-forcing weak recovery tokens. Affected systems include eramba c2.8.1 and Enterprise versions before e2.19.3, potentially enabling unauthorized account access.
💻 Affected Systems
- eramba Community
- eramba Enterprise
📦 What is this software?
Eramba by Eramba
Eramba by Eramba
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to data theft, privilege escalation, and lateral movement within the system.
Likely Case
Unauthorized access to user accounts, potential exposure of sensitive information, and session hijacking.
If Mitigated
Limited impact with proper monitoring and rate limiting, but still presents authentication bypass risk.
🎯 Exploit Status
The vulnerability requires only 1 million attempts to brute-force tokens, which is feasible with automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: e2.19.3 for Enterprise, Community version should be updated to latest
Vendor Advisory: https://discussions.eramba.org/t/bug-security-vulnerabilities-not-serious/1650/2
Restart Required: Yes
Instructions:
1. Backup your eramba installation and database. 2. Download and install the patched version from official eramba sources. 3. Restart the web server and eramba services. 4. Verify the fix by testing password reset functionality.
🔧 Temporary Workarounds
Rate Limit Password Reset Requests
linuxImplement rate limiting on password reset endpoints to prevent brute-force attacks.
# Configure web server rate limiting (example for nginx):
limit_req_zone $binary_remote_addr zone=reset:10m rate=5r/m;
location /password-reset {
limit_req zone=reset burst=10 nodelay;
}
Disable Password Reset Functionality
allTemporarily disable password reset feature until patching is complete.
# Modify eramba configuration to disable password reset
# Edit config file and set password reset to disabled
🧯 If You Can't Patch
- Implement strong network-level rate limiting on password reset endpoints
- Enable multi-factor authentication for all user accounts
🔍 How to Verify
Check if Vulnerable:
Check eramba version in administration panel or by examining source files. Versions c2.8.1 (Community) or Enterprise versions before e2.19.3 are vulnerable.Check Version:
Check eramba admin panel or examine /app/Config/version.php fileVerify Fix Applied:
After updating, verify the version shows e2.19.3 or later for Enterprise, or latest Community version. Test password reset functionality to ensure tokens are sufficiently random.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Unusual password reset success patterns
- Account access from new locations shortly after password reset
Network Indicators:
- High volume of requests to password reset endpoints
- Patterned requests to /users/requestPasswordReset or similar endpoints
SIEM Query:
source="eramba_logs" AND (url="*password-reset*" OR url="*requestPasswordReset*") | stats count by src_ip | where count > 100🔗 References
- https://discussions.eramba.org/t/bug-security-vulnerabilities-not-serious/1650/2
- https://gitlab.com/gitlab-com/gl-security/disclosures/-/blob/master/005_eramba/eramba_weak_password_reset.md
- https://discussions.eramba.org/t/bug-security-vulnerabilities-not-serious/1650/2
- https://gitlab.com/gitlab-com/gl-security/disclosures/-/blob/master/005_eramba/eramba_weak_password_reset.md
