Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 20 Jun 2015 17:12:27 -0400
From: Justin Bull <me@...tinbull.ca>
To: oss-security@...ts.openwall.com
Subject: CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT" 

Hello,

Please excuse me if I’m doing this incorrectly, this is my first time attempting to acquire a CVE ID for a discovered vulnerability.

NOTE: I have already sent a similar email to MITRE requesting a CVE ID, but been advised to submit here as well (then cancel the request to MITRE, since those poor folks deal with thousands of requests).


== Affected Software: ==

The Ruby One Time Password Library (https://github.com/mdp/rotp)

A ruby library for generating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238.

ROTP is compatible with the Google Authenticator available for Android and iPhone.


== Type of Attack: ==

- Man in The Middle
- Shoulder Surfing


== Versions affected: ==

All versions.


== Description of Vulnerability: ==

The TOTP feature of the software is not fully compliant with Section 5.2 of RFC 6238[1] and does not “burn” a successfully validated OTP.

When the provider sends a valid OTP to the verifier, the verify must not accept subsequent submissions of the same OTP in that given time step. That is, in order to maintain the “One-Time” aspect of a One-Time Password, it can be used once and only once.


== Impact / Attack: ==

In a two-factor authentication context, an attacker could Man-in-The-Middle the connection between the verifier and provider, obtain the username, password, & OTP values, and log in with the credentials within the current time step (a 30 second window, if defaults are used). Arguably, this defeats the two-factor authentication since the OTP can be replayed multiple times.

Alternatively, an attacker could “shoulder surf” the victim’s second factor device in lieu of compromising the connection.

This information has been captured in the bug report to the maintainer of ROTP[2].


== Solution: ==

None yet, the fix[3] is not merged into codebase and not released.


== Acknowledgements: ==

Thanks to Viliam Holub (https://github.com/vilda) for originally tipping me off to the RFC non-compliance in software that utilizes the ROTP library[4].


== References:==

[1]: https://tools.ietf.org/html/rfc6238#section-5.2
[2]: https://github.com/mdp/rotp/issues/44
[3]: https://github.com/mdp/rotp/pull/45
[4]: https://github.com/tinfoil/devise-two-factor/issues/30


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C


Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.