[SECURITY-L] [Security-news] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

CSIRT Unicamp security em unicamp.br
Quarta Janeiro 24 16:39:10 -03 2024 

View online: https://www.drupal.org/sa-contrib-2024-003

Project: Two-factor Authentication (TFA) [1]
Date: 2024-January-24
Security risk: *Moderately critical* 14∕25
AC:Complex/A:None/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.5.0
Description:
This module enables you to allow and/or require users to use a second
authentication method in addition to password authentication.

In some cases, the module allows users to log in with an authentication
plugin that an administrator has disabled.

This vulnerability is mitigated by the fact that an attacker must obtain a
valid first-factor login credential, that an administrator must enable and
then disable an authentication plugin, and that an attacker must obtain the
valid second factor credential for the disabled plugin.

Solution:
Install the latest 8.x-1.2 version:

   * If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10
     upgrade to TFA 8.x-1.5 [3]

After installing this update disabled plugins will no longer be offered or
accepted as a second factor option.

If an account is configured with only disabled plugins login will be
prohibited and the the configured TFA "Help text" displayed instead of a
second factor prompt.

To allow access for a locked out user site owners may consider enabling the
plugin (admin/config/people/tfa) or may use their existing procedures for
granting access to accounts where the user has forgotten/lost their second
factor tokens.

Accounts with both enabled and disabled plugins will prompt the account
owner
with one of the remaining enabled plugins.

Reported By:
   * Ide Braakman [4]

Fixed By:
   * Conrad Lara [5]
   * Juraj Nemec [6] of the Drupal Security Team
   * João Ventura [7]

Coordinated By:
   * Damien McKenna [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team
   * Benji Fisher [10] of the Drupal Security Team


[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.5
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/272316
[7] https://www.drupal.org/user/122464
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/683300

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20240124/98723247/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L