2016-06-01 Instructure Advisory IAC17708 - Developer Key Privilege Escalation

Document created by Wade Billings Employee on Jun 1, 2016Last modified by Wade Billings Employee on Nov 16, 2016
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2016-06-01
  Description:Developer Key Privilege Escalation
  Criticality Level:Very High
  Impact:Potential manipulation of developer keys / Identity forgery
  Systems Affected:Potential impact includes all developer keys issued within an instance of Canvas
  Solution Status:Closed/Resolved
  Discovered By:Cody Cutrer
  Relevant Changesets:

fix permission check of updating developer keys · instructure/canvas-lms@24c57dc · GitHub


 

Summary:

In October of 2015,  a code change which allowed an account admin to manage developer keys generated within their own instance of Canvas was introduced   into the codebase. It was recently discovered during a routine review of the code that the permission checks had weak scope boundaries, so an admin with       permissions to modify developer keys in their own instance/account, were inadvertently able to modify any developer key within the system.

 

For users of the open source version of Canvas, the vulnerability surface area is much smaller since there's only one root account, and typically the root account admins are also site admins, which would have permissions to alter developer keys.

 

Status:

The Instructure engineering team has developed, tested, and promoted a hotfix to the production Canvas platform. They have also updated the Canvas open source git repository with a security patch prior to the release of this bulletin.

 


Attachments

    Outcomes