Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-047

HistoryMay 15, 2013 - 12:00 a.m.

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

2013-05-1500:00:00

Drupal Security Team

www.drupal.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.0%

JSON

This module will allow you to add Time-based One-time Password Algorithm (also called “Two Step Authentication” or “Multi-Factor Authentication”) support to user logins. It works with Google’s Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems.

Accidental removal of account configuration

In certain scenarios, Google Authenticator login incorrectly determines the user’s account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password.

This vulnerability is mitigated by the fact while Google Authenticator login’s additional verification is by-passed, a username and password are still required to log in.

One-time password (OTP) replay

If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website.

This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token.

CVE identifier(s) issued

Accidental removal of account configuration: CVE-2013-4177
One-time password (OTP) replay: CVE-2013-4178

Versions affected

Google Authenticator login 6.x-1.x versions prior to 6.x-1.2.
Google Authenticator login 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Google Authenticator login module for Drupal 6.x, upgrade to Google Authenticator login module 6.x-1.2
If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login module 7.x-1.4

Also see the Google Authenticator login project page.

Reported by

Ivo Van Geertruyen of the Drupal Security Team
Lode Vanstechelman

Fixed by

Peter Droogmans the module maintainer
Jelle Sebreghts the module maintainer
Ivo Van Geertruyen of the Drupal Security Team

Coordinated by

Ivo Van Geertruyen of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/ga_login

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/105002

drupal.org/user/383424

drupal.org/user/657472

drupal.org/user/829198

drupal.org/writing-secure-code

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.0%

JSON

Related for DRUPAL-SA-CONTRIB-2013-047