SECURITY UPDATE |  |
| Release Date: | 2016-06-01 |
| Description: | Developer Key Privilege Escalation |
| Criticality Level: | Very High |
| Impact: | Potential manipulation of developer keys / Identity forgery |
| Systems Affected: | Potential impact includes all developer keys issued within an instance of Canvas |
| Solution Status: | Closed/Resolved |
| Discovered By: | Cody Cutrer |
| Relevant Changesets: | fix permission check of updating developer keys · instructure/canvas-lms@24c57dc · GitHub |
Summary:
In October of 2015, a code change which allowed an account admin to manage developer keys generated within their own instance of Canvas was introduced into the codebase. It was recently discovered during a routine review of the code that the permission checks had weak scope boundaries, so an admin with permissions to modify developer keys in their own instance/account, were inadvertently able to modify any developer key within the system.
For users of the open source version of Canvas, the vulnerability surface area is much smaller since there's only one root account, and typically the root account admins are also site admins, which would have permissions to alter developer keys.
Status:
The Instructure engineering team has developed, tested, and promoted a hotfix to the production Canvas platform. They have also updated the Canvas open source git repository with a security patch prior to the release of this bulletin.
