CVE-2021-26905 for all versions of the 1Password SCIM bridge released prior to February 8, 2021

Published:

About the issue

An issue was discovered in versions of the 1Password SCIM bridge prior to 1.6.2. The SCIM bridge does not properly validate input received on the authenticated endpoint used to fetch log files. Someone that can authenticate to the SCIM bridge can use that weakness to read certain items from the application’s Redis cache.

The bug was discovered internally on February 5, 2021, and a fixed version of the SCIM bridge was released the following Monday, February 8, 2021.

Who may be affected

Anyone using SCIM bridge versions prior to 1.6.2 and later than or equal to 1.0.0 are affected.

Everyone using the 1Password SCIM bridge should upgrade to version 1.6.2 or later.

Impact and exploitability

The 1Password SCIM bridge is a tool for IT administrators to automate the creation of users and groups in 1Password Business. Password data is not at risk as a result of this bug.

This issue permits an attacker or someone malicious with authorized access to the SCIM bridge to obtain internal deployment details of the SCIM bridge. They can do this by using the SCIM bridge authorization token and calling the logging endpoint in a specific way. This may result in exposing certain internal implementation details of the SCIM bridge. Moreover - in circumstances where the Redis cache is shared between the SCIM bridge and other applications, this could lead to exposing information of those other applications.

The authorization token required to exploit this bug represents privileged access to the SCIM bridge. The authorization token is generated during setup of the SCIM bridge, and access to it should be restricted. We continue to recommend restricting access to SCIM authorization tokens to only limited groups of administrators. As a result of the circumstances above, we expect the risk of exploitation to be low in most of the situations the SCIM bridge is deployed.

Earlier versions of this advisory

When this advisory was first published, it contained wording indicating that the SCIM bridge TLS certificates and private keys were at risk. After further investigation, we no longer believe that to be the case. We now believe it is not possible to fetch these values, as a consequence of certain implementation details in the SCIM bridge preventing this.

Although we no longer believe SCIM bridge TLS certificates are at risk, you can still choose to revoke them. After you upgrade to version 1.6.2 or later:

  1. Connect to the SCIM bridge Redis cache with a Redis client.
  2. Read the following values and make a note of them:
    • redicrypt/<your domain name>
    • redicrypt/<your domain name>+rsa
    • redicrypt/<your domain name>+token
    • redicrypt/<long base64url value>+http01
  3. Delete those values from the Redis cache.
  4. Restart the SCIM bridge. Your SCIM bridge will automatically obtain a new certificate.
  5. Use the values you noted to revoke the old Let’s Encrypt certificate.

Commentary

We apologize for this bug. This is a class of bugs that should never crop up in any of 1Password’s software. The presence of this was unfortunately not detected in many process steps in which it could and should have been noted.

At 1Password, we are aware that our software development processes affect your own security, your family’s, or your business’s. Therefore we will use this discovery to identify better or additional measures for our software development process of all our software, so that bugs like these have a smaller chance of slipping through the cracks.