############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: HYPR Workforce Access [1] # Vendor: HYPR [2] # CSNC ID: CSNC-2022-003 # CVE ID: TBD [3] # Subject: Account Takeover # Risk: High # Effect: Locally exploitable # Author: Philipp Mao # Date: 10.6.2022 # ############################################################# Introduction: ------------- HYPR workforce access allows employees to login to their machine using only their smartphone (without having to enter a password). A non-administrator user on a machine can login as another user who logs into that same machine using HYPR Workforce Access. Affected: --------- HYPR Workforce Access < 6.18.0 (newer versions may also be affected) Technical Description --------------------- Lax access control on the registry keys allow an attacker to communicate with the HYPR server on behalf of another user. This way the attacker can obtain encrypted login certificates of other users. The attacker can then deregister the target user, by sending a HTTP request to the HYPR server. Afterwards, once the target user has reregistered, the attacker starts a login flow from his own smartphone and injects the encrypted login certificate into the login flow. The HYPR service will decrypt the injected certificate and login the attacker as the target user. Workaround / Fix: ----------------- Update to the newest HYPR Workforce Access version Timeline: --------- 2021-02-10: Discovery by Philipp Mao 2021-02-11: Initial vendor notification/response 2022-10-05: Advisory publication References: ----------- [1] https://www.hypr.com/workforce-authentication/ [2] https://www.hypr.com/