Cyber Resilience

CVE-2024-41949

Low

Published: 01 August 2024

Published
01 August 2024
Modified
09 August 2024
KEV Added
Patch
CVSS Score v3.1 3.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
EPSS Score 0.0011 28.8th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41949 is a low-severity Improper Privilege Management (CWE-269) vulnerability in Biscuitsec Biscuit-Auth. Its CVSS base score is 3.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary…

more

info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

CVE-2024-41949 enables forging ThirdPartyBlock requests to trick remote third-party authorities into generating signed authorization blocks trusting incorrect public keys due to symbol table confusion, facilitating exploitation of remote services for privilege escalation (T1068, T1210) and forging application/web credentials to bypass multi-party authorization (T1606).

Affected Assets

biscuitsec
biscuit-auth
≤ 5.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References