CVE-2020-28597

Vulnerability

Epignosis EfrontPro versions 5.2.17 and 5.2.21 contain a predictable seed vulnerability (CWE-337) in the password reset functionality [1]. The password reset token is generated as md5($this->reset_password_timestamp.$this->login), where reset_password_timestamp is based directly on system time and login is the user's email address [1]. An attacker can trigger the password reset for a known user to set a predictable reset_password_timestamp (within a small error margin) and then compute the valid hash [1].

Exploitation

An attacker needs no authentication and only needs to know the target's email address. The password reset endpoint at /start/op/password_change/user/[USER_ID]/code/[HASH] does not enforce rate limiting [1]. The attacker triggers the password reset for the known user, records the approximate time, then iterates over possible timestamps and user IDs (which are sequential integers starting from 0) to generate candidate hashes [1]. The user ID can be enumerated via ID enumeration on the same endpoint [1].

Impact

Successful exploitation allows the attacker to reset the password of any account, gaining full control over that account. This leads to complete compromise of confidentiality, integrity, and availability (CVSS 9.8) [1].

Mitigation

The vendor was notified on 2020-12-21 and released a patch on 2021-02-02 [1]. Users should update to the patched version. No workaround is described in the available references. The vulnerability is not listed on the CISA KEV as of the publication date.