[IT-SecNots] [Security-news] YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-023

Project: YubiKey [1]
Version: 7.x-2.x-dev
Date: 2020-June-10
Security risk: *Less critical* 9∕25
AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module enables you to use a Yubikey device to protect your Drupal user
account. YubiKey is a secure method for logging into many websites using a
cryptographically secure USB token.

The module doesn't sufficiently implement login flood control when the module
is configured for YubiKey OTP only. This allows an attacker to attempt many
YubiKey OTP codes. However, a brute force attack on this code is not
practical in most situations given the length and randomness of the OTP
codes.

Solution: 
Install the latest version:

  * If you use the Yubikey module for Drupal 7.x, upgrade to Yubikey 7.x-2.3
    [3]

Also see the YubiKey [4] project page.

Reported By: 
  * majorrobot  [5]

Fixed By: 
  * Todd Johnson  [6]
  * majorrobot  [7]
  * Kurucz István  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/yubikey
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/yubikey/releases/7.x-2.3
[4] https://www.drupal.org/project/yubikey
[5] https://www.drupal.org/user/168019
[6] https://www.drupal.org/user/263058
[7] https://www.drupal.org/user/168019
[8] https://www.drupal.org/user/58654
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news