CVE-2024-52948: 
Linux Debian vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in LemonLDAP::NG's Two-Factor Authentication (2FA) registration process. The vulnerability, tracked as CVE-2024-52948, affects multiple versions of the software including versions 2.0.11+ds-4+deb11u5 and 2.16.1+ds-deb12u4. The issue was discovered and reported in November 2024 (Debian Tracker, GitLab Issue).

The vulnerability stems from the absence of anti-CSRF tokens in the FIDO2 enrollment page. An attacker can initiate enrollment on their own session and force a connected user to visit a malicious page, potentially leading to unauthorized 2FA device registration. The attack involves manipulating POST parameters and submitting them through a crafted HTML form (GitLab Issue).

If successfully exploited, an attacker can register their own FIDO2 device in the targeted user's profile. This allows the attacker to authenticate as the victim by combining stolen username/password credentials with the fraudulently registered FIDO2 device (GitLab Issue).

The vulnerability has been fixed in version 2.20.2+ds-1 of LemonLDAP::NG. The fix implements custom request headers for CSRF protection in 2FA registration functions and updates the validation checks for 2FA deletion (Debian Tracker, GitLab Commit).