it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
- Date: Wed, 2 Oct 2024 18:05:35 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=cjrVrazq; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CC22D41C2A
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9684C606EA
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-043
Project: Two-factor Authentication (TFA) [1]
Date: 2024-October-02
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.8.0
Description:
This module enables you to allow and/or require users to use a second
authentication method in addition to password authentication.
The module does not sufficiently migrate sessions before prompting for a
second factor token.
This vulnerability is mitigated by the fact that an attacker must fixate a
session on a victim system that is then authenticated with username and
password without completing Two Factor authentication. An attacker must
gather additional information regarding the entry form after authentication.
An attacker must still present a valid token to complete authentication.
Solution:
Install the latest version:
* If you use the Two-factor Authentication (TFA) module for Drupal 8+
upgrade to Two-factor Authentication (TFA) 8.x-1.8 [3]
* If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade
to Two-factor Authentication (TFA) 7.x-2.4 [4]
Reported By:
* Francesco Placella [5]
Fixed By:
* Francesco Placella [6]
* Juraj Nemec [7] of the Drupal Security Team
* Conrad Lara [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
* Juraj Nemec [10] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.8
[4] https://www.drupal.org/project/tfa/releases/7.x-2.4
[5] https://www.drupal.org/user/183211
[6] https://www.drupal.org/user/183211
[7] https://www.drupal.org/user/272316
[8] https://www.drupal.org/user/1790054
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/poker10
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043, security-news, 02.10.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.