it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
- Date: Wed, 27 Jun 2018 18:25:41 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-044
Project: TFA Basic plugins [1]
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness
Description:
The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or
sms.
The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.
This vulnerability is mitigated by the fact that the site must be configured
to use SMS to deliver one-time login codes which is an uncommon
configuration.
Solution:
* If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic
7.x-1.1 [3]
Also see the TFA Basic plugins [4] project page.
Reported By:
* Greg Knaddison [5] of the Drupal Security Team
Fixed By:
* Greg Knaddison [6] of the Drupal Security Team
* Ben Jeavons [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa_basic
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa_basic/releases/7.x-1.1
[4] https://www.drupal.org/project/tfa_basic
[5] https://www.drupal.org/user/36762
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/91990
[8] https://www.drupal.org/u/greggles
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044, security-news, 27.06.2018
Archiv bereitgestellt durch MHonArc 2.6.19.