Affected Software

AXESS versions 4.x and 5.0.0 are affected by a potential authentication schema
bypass vulnerability. (Other Axiros products are not affected.)

Date of detection: March 18th 2024 (credits to nsideattacklogic)
Contact: [email protected]

Description

The mentioned AXESS releases are vulnerable to authentication schema bypass  

Although Axiros can not make general statements regarding the impact of the mentioned vulnerabilities on the deployed systems, Axiros recommends to apply the described fix as soon as possible. Future AXESS versions will include a patch for this vulnerability.

Mitigation & Fix

In oder to patch the vulnerability a file inside the AXUserManager must be replaced and a new permission must be added on the RBAC configuration.

Ansible upgrade process

Please read the Ansible patch procedures before applying the patch.
https://docs.axiros.com/axess-documentation/install/latest/ansible_playbook_reference/utilities/distribute_patches/index.html
Please note that this procedure must be repeated on every environment (e.g. lab, staging, production)

Download the patch file according to the AXESS version

4.0.0 AXESS_4_0_0__LegacyAXUserManager.py /opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/LegacyAXUserManager.py

4.1.0 AXESS_4_1_0__AXUserManager.py /opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/AXUserManager.py

4.2.0 AXESS_4_2_0__AXUserManager.py /opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/AXUserManager.py

4.3.0 + 4.3.1 AXESS_4_3_0__AXUserManager.py /opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/AXUserManager.py

5.0.0 AXESS_5_0_0__AXUserManager.py /opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/AXUserManager.py

Place the file inside the Ansible control machine 

Please copy the patch file from above inside your Ansible control machine chroot.

Please note that you might need to create the folder structure inside the patch directory (by default its is empty). Remove the version prefix from the file before placing it in the patches folder (e.g. AXESS_5_0_0__AXUserManager.py rename to AXUserManager.py

admin@ip-172-31-8-138:~$ sudo chroot /opt/axess-ansible
axess-ansible root@ip-172-31-8-138:/# cd /opt/axess-ansible/contrib-project/patches/
axess-ansible root@ip-172-31-8-138:/opt/axess-ansible/contrib-project/patches# ls -l
total 8.0K
drwxr-xr-x  2 root root 4.0K 2022-11-23 09:07 .
drwxr-xr-x 16 root root 4.0K 2022-07-06 16:11 ..
-rw-r--r--  1 root root    0 2022-11-22 19:00 .gitkeep
 
# In this setup the patches folder is empty. Now we create the folder structure for the patch
axess-ansible root@ip-172-31-8-138:/opt/axess-ansible/contrib-project/patches# mkdir -p axess/base/Products/AXUserManager/
axess-ansible root@ip-172-31-8-138:/opt/axess-ansible/contrib-project/patches# cd axess/base/Products/AXUserManager/
axess-ansible root@ip-172-31-8-138:/opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager# ls
total 8.0K
drwxr-xr-x 2 root root 4.0K 2024-03-18 16:04 .
drwxr-xr-x 3 root root 4.0K 2024-03-18 16:04 ..
# The folder structure was created please place the downloaded patch file in that directory so it looks like this
axess-ansible root@ip-172-31-8-138:/opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager# ls -l
total 24K
drwxr-xr-x 2 root root 4.0K 2024-03-18 16:06 .
drwxr-xr-x 3 root root 4.0K 2024-03-18 16:04 ..
-rw-r--r-- 1 root root  15K 2024-03-18 16:06 AXUserManager.py

 Create the necessary folder structure 

Distribute the patch via Ansible playbooks

Now we want to deploy the patch to all nodes in the cluster. The playbook can be executed like any other playbook - please make sure to select the correct inventory file.

ansible-playbook --ask-vault-pass -i inventory/lab.py util_axess_patch_files.yml

Example output

TASK [Create missing destination directories] *****************************************************************************************************************************
ok: [axess] => (item=directory base)
skipping: [axess] => (item=skipping file)
ok: [axess] => (item=directory base/Products)
ok: [axess] => (item=directory base/Products/AXUserManager)
skipping: [axess] => (item=skipping file)
 
TASK [Copy patched files to the managed nodes] ****************************************************************************************************************************
skipping: [axess] => (item=skipping directory)
skipping: [axess] => (item=/opt/axess-ansible/contrib-project/patches/axess/.gitkeep)
skipping: [axess] => (item=skipping directory)
skipping: [axess] => (item=skipping directory)
changed: [axess] => (item=/opt/axess-ansible/contrib-project/patches/axess/base/Products/AXUserManager/AXUserManager.py)
 
PLAY [Distribute patches to tr069controller nodes] ************************************************************************************************************************
 
TASK [Patches directory query] ********************************************************************************************************************************************
ok: [axess -> localhost]
 
TASK [Create missing destination directories] *****************************************************************************************************************************
skipping: [axess] => (item=skipping file)
 
TASK [Copy patched files to the managed nodes] ****************************************************************************************************************************
skipping: [axess] => (item=/opt/axess-ansible/contrib-project/patches/tr069controller/.gitkeep)
 
PLAY [Distribute patches to configcontroller nodes] ***********************************************************************************************************************
 
TASK [Patches directory query] ********************************************************************************************************************************************
ok: [axess -> localhost]
 
TASK [Create missing destination directories] *****************************************************************************************************************************
skipping: [axess] => (item=skipping file)
 
TASK [Copy patched files to the managed nodes] ****************************************************************************************************************************
skipping: [axess] => (item=/opt/axess-ansible/contrib-project/patches/configcontroller/.gitkeep)
 
PLAY RECAP ****************************************************************************************************************************************************************
axess                      : ok=17   changed=1    unreachable=0    failed=0    skipped=13   rescued=0    ignored=0

Restart AXESS Northbound processes

After the patch was deployed we need to restart all AXESS northbound processes

ansible-playbook --ask-vault-pass -i inventory/lab.py node-axess-northbound-uwsgi_restart.yml

Create a new permission on AXESS.GUI

The AXCustomerSupportPortal is using a logout URL that is now restricted for non "Manager" user roles after the patch was applied.
Please create a new permission and assign it to the "Authenticated" user role. In that way all other roles will inherit this permission. 

This step is only mandatory if you are using the AXCustomerSupportPortal or a custom HTML logout page

Login on AXESS.GUI and navigate to the Role Based Access Control page.

Create the new permission

Create a new permission with the following settings

Name: support_portal_logout
Operations, RPCs and Facets: *
Path: */acl_users/logout.html*

Assign to the existing Authenticated Role

Select the new permission from the dropdown and click the Save button.
The new permission becomes active after the cache is renewed (default 60 seconds). It is not required to logout existing user sessions.