CVE-2024-2450
📋 TL;DR
This vulnerability allows authenticated attackers to take over other user accounts in Mattermost by exploiting a flaw in authentication switching from email to SAML. Attackers can craft malicious switch requests to hijack accounts under specific conditions. Organizations running affected Mattermost versions are at risk.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and potential lateral movement within the organization.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive communications, data exfiltration, and impersonation attacks.
If Mitigated
Limited impact if strong authentication controls, monitoring, and least privilege principles are already implemented, though risk remains until patched.
🎯 Exploit Status
Requires authenticated access and specific conditions where users switch authentication methods. Attackers need to craft malicious switch requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.10, 9.2.6, 9.3.2, 9.4.3
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup your Mattermost instance. 2. Download the patched version from Mattermost releases. 3. Follow Mattermost upgrade documentation for your deployment method (Docker, binary, etc.). 4. Restart the Mattermost service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication to prevent exploitation of the vulnerability.
Edit config.json: set 'EnableSaml' to false
Restart Mattermost service
Restrict Authentication Switching
allDisable ability for users to switch between authentication methods via configuration.
Edit config.json: set 'EnableSignUpWithEmail' and related auth switching options appropriately
Restart Mattermost service
🧯 If You Can't Patch
- Implement strict access controls and monitor for suspicious authentication switching activity.
- Enable detailed logging for authentication events and review logs regularly for anomalous switch requests.
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version via web interface (Main Menu > About Mattermost) or command line: 'mattermost version'Check Version:
mattermost versionVerify Fix Applied:
Verify version is 8.1.10, 9.2.6, 9.3.2, 9.4.3 or higher. Test authentication switching functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication method switching events
- Multiple failed authentication attempts followed by successful switch
- User accounts accessing from unexpected locations after auth switch
Network Indicators:
- Unusual patterns in authentication API requests
- Spike in /api/v4/users/switch_method requests
SIEM Query:
source="mattermost" AND (event="authentication_switch" OR message="*switch*authentication*")