Potential privilege escalation in IDPKI (CVE-2024-39327, CVE-2024-39328, CVE-2024-51505)

A security assessment of IDPKI implementation revealed a weakness potentially allowing an operator to exceed its privileges.

In the course of a pentest security assessment of IDPKI, some security measures protecting internal communications were found potentially compromised for an internal user with high privileges.

None of these vulnerabilities put Certificate Authority (CA) private key at risk.

Eviden analyzed the root cause of the weakness. It revealed two separate vulnerabilities. During validation of the fix, an additional vulnerability of similar nature was identified, leveraging some race condition to alter an internal automata state and achieve a system privilege escalation:

• CVE-2024-39327: The vulnerability could allow the possibility to obtain CA signing in an illegitimate way.
• CVE-2024-39328: Highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk.

• CVE-2024-51505: Highly trusted role (Config Admin) could leverage a race condition to escalate privileges.

• CVE-2024-39327 correction has been validated and published.

• CVE-2024-39328 correction has been validated and published. This vulnerability has no impact in mono-partition nor in SaaS environments.
• CVE-2024-51505 risk is increased if the last fixes are not applied, as a lower privileged role is required. A fix is available and published.