Bypass 2fa with remember-me option

[winus]

Bundle version: 4.10.0
Symfony version: 3.4.31

Description
Bypass 2fa by rememberme cookie

To Reproduce
We have a login form with remember_me (checkbox) functionality, When using the checkbox, symfony creates a cookie "REMEMBERME". That moment we get redirected to the 2fa-auth page. We have no access to the other pages. On that moment, when we remove our SESSIONID key with the browsers cookie inspector/tool, we can go to our homepage "/" and be IS_AUTHENTICED_REMEMBERED. Effectively being logged in without 2fa.

[scheb]

Ouch, I can confirm that unfortunately. And I don't have a clear plan (yet) how to fix this issue properly. I did some research and right now it looks the best approach would be to decorate the firewall's security.authentication.rememberme.* services to prevent the remember-me cookie from being set when the user enters a two-factor process after a successful login.

/summon @chalasr Do you have and idea how we can solve this?

[winus]

Well it happens :-) Found it, ( well actually more like, though of the theoretical issue ) while investigating another problem in our application.

I've did a bit of research also, but my knowledge of the login process ( and abstract services) is limited. I found a RememberMeTokenProvider. And my guess would be to override the Symfony's default one.
On the original moment we should check whether the remember me was checked, and put it in the token(i guess).

When the 2fa is succes, we should check the variable / attribute in the token and trigger the RememberMeTokenProvider of Symfony.

[scheb]

Yes, something like that would be the solution to set the remember me token after 2fa has been completed.

The issue that I'd like to solve first is how to avoid the cookie to be set right after login. The way this is implemented, it's outside of the bundle's control and I'm wondering what the best approach would be to hook in and prevent it.

[chalasr]

@scheb I think you could inject the RememberMeServicesInterface instance in your AuthenticationProviderDecorator.
That service is generated by RememberMeFactory (one per firewall), so you should be able to check its existence + inject it from your compiler pass by guessing the generated service name.
Then, in AuthenticationProviderDecorator, if the authenticated token is an instance of RememberMeToken, call RememberMeServicesInterface::loginFail() and, once 2fa completed, call RememberMeServicesInterface::autoLogin() to set back the cookie.

[scheb]

This issue is fixed in versions 4.11.0 and 3.26.0.

@chalasr Thanks for your help, much appreciated!

@bytehead, @brusch, @Seldaek I believe you should upgrade to ^3.26.0 / ^4.11.0

[Seldaek]

Thanks, deployed the fixed version

[bytehead]

Thank you @scheb!

[brusch]

@scheb Thanks a lot!

[zerkms]

Is it possible to tell when it was introduced? Or was it there forever?

[scheb]

I haven't tested every version of the bundle with every version of Symfony, but the way this issue works very likely affects all versions from 3 until 3.26.0 and all versions from 4 until 4.11.0, independent of the Symfony version.

And now that I think about it, all versions from 1.x and 2.x, which depend on a session flag to ask for 2fa, probably have and still have this issue.

[zerkms]

@scheb I'm here because I also discovered this behaviour yesterday myself, but I was going to report it privately through the direct email.

Wondering if issues like that should be considered as highly sensitive security bugs.