CVE-2024-27295: Directus Flaw Opens Door to Account Takeovers

CVE-2024-27295

A flaw (CVE-2024-27295) was found in Directus, a versatile open-source content management platform favored by developers for its flexibility and customization options. This vulnerability leaves thousands of projects potentially exposed to account hijacking attacks.

CVE-2024-27295

With over 27 million docker pulls, nearly 25,000 GitHub stars, and 49,000 monthly npm downloads, Directus has established itself as a cornerstone for developers seeking to manage content.

CVE-2024-27295, a vulnerability with a CVSS score of 8.2, points to a high-severity issue lurking within the password reset mechanism of the Directus backend. This flaw, tied intricately to MySQL and MariaDB configurations, allows attackers to hijack the password reset process.

The root cause

This vulnerability arises from a dangerous combination:

  1. Directus’ Password Reset Flaw: There’s an oversight in the way Directus’s password reset system retrieves the email address for sending password reset links. Instead of using the exact email stored in the database, it relies on the email address submitted with the reset request.

  2. MySQL/MariaDB: These databases, in their default configuration, sometimes treat accented characters (like ü) the same as their non-accented counterparts (u) when comparing pieces of data. This lack of precision can be disastrous for security.

    MySQL weak comparison:

    select 1 from directus_users where julian@cure53.de = julian@cüre53.de;

    This is exploitable due to an error in the API using the supplied email address for sending the reset password mail instead of using the email from the database.

Steps to reproduce:

Imagine the following scenario:

  • Victim’s Account: A user with the email “julian@cure53.de” has an account on a Directus-powered website.
  • Attacker’s Preparation: An attacker, aware of this vulnerability, registers a deceptively similar email address – “julian@cüre53.de” – differing only by an accented character.
  • Exploitation: The attacker submits a password reset request for the victim’s email (julian@cure53.de). Due to the combined flaws in Directus and the database, a match is found, and the sensitive password reset link lands in the attacker’s inbox.

Consequences: Full Account Takeover

With the reset link, the attacker takes full control of the victim’s account. This could lead to:

  • Sensitive Data Exposure: Accessing and stealing confidential information stored within the account.
  • Reputation Damage: Impersonating the victim and performing malicious actions, harming their reputation and potentially affecting the broader system.
  • Attack Escalation: Using the compromised account as a foothold to launch further attacks, exploiting additional vulnerabilities within the system.

Protecting Yourself

  • The Urgent Fix: Immediately upgrade to Directus version 10.8.3 or later, which contains the patch to resolve this specific vulnerability.
  • Security Best Practices:
    • Implement strong password policies and encourage users to create complex, unique passwords.
    • Consider enabling two-factor authentication (2FA) for an extra layer of protection.
    • Conduct regular security audits to identify potential weaknesses.
  • Database Deep Dive:
    • If you use MySQL/MariaDB, review database configuration settings related to character comparisons (collations). Adjust them to enforce stricter character matching for sensitive data like email addresses.