Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 27 Jul 2013 01:06:26 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Forest Monsen <forest.monsen@...il.com>,
        "security@...pal.org" <security@...pal.org>
Subject: Re: CVE request for a Drupal contributed module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2013 12:22 PM, Forest Monsen wrote:
> Hi Kurt, regarding CVE assignment and your request for
> clarification at 
> http://www.openwall.com/lists/oss-security/2013/05/16/2:
> 
> On Wed, May 15, 2013 at 6:41 PM, Kurt Seifried
> <kseifried@...hat.com> wrote:
> 
>> This sounds like two separate issues:
> [...]
>> can you send me the code patches fixing this so I can make sure
>> it gets the correct SPLIT/MERGE treatment? Thanks.
> 
> Yep - Diffs for the commits that fixed both of these issues are
> at:
> 
> Drupal 6:
> http://drupalcode.org/project/ga_login.git/commitdiff/dd04ea3 
> Drupal 7:
> http://drupalcode.org/project/ga_login.git/commitdiff/c365097
> 
> For the first issue,
> 
> 
>> Accidental removal of account configuration.
>> 
>> In certain scenarios, Google Authenticator login incorrectly 
>> determines the user's account name. The change in account name
>> could cause the two-factor authentication for existing accounts
>> to be lost, allowing users to log in using just username and
>> password.
>> 
>> This vulnerability is mitigated by the fact while Google
>> Authenticator login's additional verification is by-passed, a
>> username and password are still required to log in.
>> 
> 
> It looks like the maintainer now concatenates a "Realm" (site name)
> and suffix with the Drupal username to form the GA username. Any
> inconsistency there will invalidate earlier credentials.

Please use CVE-2013-4177 for this issue.

> For the second,
> 
> One Time Password (OTP) replay
>> 
>> If an attacker can intercept a login request with a username,
>> password and OTP, an attacker could use this same data again to
>> login to the website.
>> 
>> This vulnerability is mitigated by the fact that an attacker who
>> can intercept a login request with this level of detail can
>> usually also intercept the ongoing session identifying token.
>> 
> 
> It looks to me like the maintainer now implements a skew value to
> either (in the case of a time-based one-time password token) review
> only a certain range of timed tokens on either side, or (in the
> case of an HMAC-based one-time password token) to again test a
> range of tokens.
> 
> I'll copy the Drupal Security Team, in case I haven't understood
> it correctly or if further clarification is necessary. Thanks.

Please use CVE-2013-4178 for this issue.

> Best, Forest
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR83FyAAoJEBYNRVNeJnmTVCgQAMGesZzGhReWut7B2WKjMrz6
lRGEaQxlAnqjtknh8Zitcnf6imdojHlKRbSaY1rxYBus67wNy2zitYsSNxrH7MEd
U5kGWPR8NqyvOi01U/KPiQESFxEpeSBPTEiUruAUIlXMW7kokb5mb+NA49L8HpRH
DL6OGiMa80NyCfaSIDkAvC8Z4lVcYE1zV/68aV3mWkUwKM/uxoFrRlcvplgDLc+0
efQlZg3DFviL+ShIwMq9bItW6Kix71/+gHXfEbNv4R75qHJEbWka6Ts8siMVgR9R
2MwyuksNlnzM5SLuo9NyhVHW5ZqxtA/qs6GTwM8nnKtG0R0HL8AlRvG7VMvyxu3O
ozCj9ZGuWFm3fi1qLTKW6Udq0+VidQ7xf3Xg/c6AQivcdqdhuGgNjaWDNGe5LAdB
UOE9YSs+k+74y/aW+GxVyn14LglkSpzLy+eY8w3JfNWnjF6w9uCeSktIaa9H9/Ko
aa4n2kTPG/+0twHg4gg/rd8Smari4CAkBMzcWB59siZGgTKRBZ3Wu2tPvB0UDMgq
FUPsvU0EjOhLn4SZalc79r4mwBzNozEzDk9GhbmkfHFVQ56cr3+eltc8pZgfVuEw
+mS58xTwwhAeQOz76K7WWQqxcqj5Ow+psoBy23WHTw1VOvkHudE6iZZ73lpWg4E2
nTWskopuCzm2VIotNRbb
=Yftf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.