Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
  • Date: Wed, 24 Jan 2024 18:38:55 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1F172613AC
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 91482613B4
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org F011840513
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1DEBA40508
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-003

Project: Two-factor Authentication (TFA) [1]
Date: 2024-January-24
Security risk: *Moderately critical* 14∕25
AC:Complex/A:None/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.5.0
Description: 
This module enables you to allow and/or require users to use a second
authentication method in addition to password authentication.

In some cases, the module allows users to log in with an authentication
plugin that an administrator has disabled.

This vulnerability is mitigated by the fact that an attacker must obtain a
valid first-factor login credential, that an administrator must enable and
then disable an authentication plugin, and that an attacker must obtain the
valid second factor credential for the disabled plugin.

Solution: 
Install the latest 8.x-1.2 version:

* If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10
upgrade to TFA 8.x-1.5 [3]

After installing this update disabled plugins will no longer be offered or
accepted as a second factor option.

If an account is configured with only disabled plugins login will be
prohibited and the the configured TFA "Help text" displayed instead of a
second factor prompt.

To allow access for a locked out user site owners may consider enabling the
plugin (admin/config/people/tfa) or may use their existing procedures for
granting access to accounts where the user has forgotten/lost their second
factor tokens.

Accounts with both enabled and disabled plugins will prompt the account owner
with one of the remaining enabled plugins.

Reported By: 
* Ide Braakman [4]

Fixed By: 
* Conrad Lara [5]
* Juraj Nemec [6] of the Drupal Security Team
* João Ventura [7]

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
* Benji Fisher [10] of the Drupal Security Team


[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.5
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/272316
[7] https://www.drupal.org/user/122464
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/683300

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003, security-news, 24.01.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang