<div dir="ltr"><div class="gmail_quote"><br>View online: <a href="https://www.drupal.org/sa-contrib-2024-003" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-003</a><br>
<br>
Project: Two-factor Authentication (TFA) [1]<br>
Date: 2024-January-24<br>
Security risk: *Moderately critical* 14∕25<br>
AC:Complex/A:None/CI:Some/II:Some/E:Proof/TD:Uncommon [2]<br>
Vulnerability: Access bypass<br>
<br>
Affected versions: <1.5.0<br>
Description: <br>
This module enables you to allow and/or require users to use a second<br>
authentication method in addition to password authentication.<br>
<br>
In some cases, the module allows users to log in with an authentication<br>
plugin that an administrator has disabled.<br>
<br>
This vulnerability is mitigated by the fact that an attacker must obtain a<br>
valid first-factor login credential, that an administrator must enable and<br>
then disable an authentication plugin, and that an attacker must obtain the<br>
valid second factor credential for the disabled plugin.<br>
<br>
Solution: <br>
Install the latest 8.x-1.2 version:<br>
<br>
   * If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10<br>
     upgrade to TFA 8.x-1.5 [3]<br>
<br>
After installing this update disabled plugins will no longer be offered or<br>
accepted as a second factor option.<br>
<br>
If an account is configured with only disabled plugins login will be<br>
prohibited and the the configured TFA "Help text" displayed instead of a<br>
second factor prompt.<br>
<br>
To allow access for a locked out user site owners may consider enabling the<br>
plugin (admin/config/people/tfa) or may use their existing procedures for<br>
granting access to accounts where the user has forgotten/lost their second<br>
factor tokens.<br>
<br>
Accounts with both enabled and disabled plugins will prompt the account owner<br>
with one of the remaining enabled plugins.<br>
<br>
Reported By: <br>
   * Ide Braakman [4]<br>
<br>
Fixed By: <br>
   * Conrad Lara [5]<br>
   * Juraj Nemec [6] of the Drupal Security Team<br>
   * João Ventura [7]<br>
<br>
Coordinated By: <br>
   * Damien McKenna [8] of the Drupal Security Team<br>
   * Greg Knaddison [9] of the Drupal Security Team<br>
   * Benji Fisher [10] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/tfa" rel="noreferrer" target="_blank">https://www.drupal.org/project/tfa</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/tfa/releases/8.x-1.5" rel="noreferrer" target="_blank">https://www.drupal.org/project/tfa/releases/8.x-1.5</a><br>
[4] <a href="https://www.drupal.org/user/1879760" rel="noreferrer" target="_blank">https://www.drupal.org/user/1879760</a><br>
[5] <a href="https://www.drupal.org/user/1790054" rel="noreferrer" target="_blank">https://www.drupal.org/user/1790054</a><br>
[6] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>
[7] <a href="https://www.drupal.org/user/122464" rel="noreferrer" target="_blank">https://www.drupal.org/user/122464</a><br>
[8] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>
[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[10] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br class="gmail-Apple-interchange-newline">===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>