CVE-2023-44039
📋 TL;DR
This vulnerability allows an internal unauthenticated attacker who can pass enrollment verifications to register their FIDO authenticator to a victim's account, enabling account takeover. It affects VeridiumID authentication platform users before version 3.5.0. The attacker must have internal network access and enrollment privileges.
💻 Affected Systems
- VeridiumID Authentication Platform
📦 What is this software?
Veridiumad by Veridiumid
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user account in the system, allowing unauthorized access to sensitive data and systems protected by VeridiumID authentication.
Likely Case
Targeted account compromise of specific users by malicious insiders or attackers who have gained internal network access and enrollment capabilities.
If Mitigated
Limited impact with proper network segmentation and strict access controls on enrollment processes.
🎯 Exploit Status
Exploitation requires internal network access and the ability to pass enrollment verifications, but the actual attack mechanism is straightforward once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0
Vendor Advisory: https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement
Restart Required: Yes
Instructions:
1. Download VeridiumID version 3.5.0 or later from official vendor sources. 2. Backup current configuration and data. 3. Stop VeridiumID services. 4. Install the updated version. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict Enrollment Access
allLimit internal network access to enrollment endpoints and implement strict access controls on who can perform enrollment operations.
Network Segmentation
allIsolate VeridiumID systems from general internal network access, allowing only authenticated and authorized connections.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access enrollment endpoints
- Enable detailed logging and monitoring of all enrollment activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check VeridiumID version via admin interface or configuration files. If version is below 3.5.0, system is vulnerable.Check Version:
Check admin dashboard or configuration files for version information (specific command varies by deployment)Verify Fix Applied:
Verify version is 3.5.0 or higher and test enrollment functionality to ensure proper authentication checks are in place.📡 Detection & Monitoring
Log Indicators:
- Multiple enrollment attempts from same internal IP
- Enrollment activities outside normal business hours
- Enrollment for accounts not belonging to the enrolling user
Network Indicators:
- Unusual traffic patterns to WebAuthn enrollment endpoints
- Internal connections attempting enrollment without proper authentication
SIEM Query:
source="veridiumid" AND (event_type="enrollment" OR event_type="webauthn") AND user_agent NOT IN ["expected_user_agents"]🔗 References
- https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement
- https://veridiumid.com/veridium-id-authentication-platform/
- https://docs.veridiumid.com/docs/v3.5/security-advisory#id-%28v3.52%29SecurityAdvisory-Acknowledgement
- https://veridiumid.com/veridium-id-authentication-platform/
