Overview
VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials.
Description
CWE-305: Authentication Bypass by Primary Weakness VASCO's IDENTIKEY Authentication Server (IAS) is a product which provides two-factor authentication capability. VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials. The expected behavior of the product is to authenticate a user from a RADIUS client if and only if that user enters a concatenation of his or her Microsoft Active Directory password credentials and a one-time password that is generated by an assigned DIGIPASS security token. The observed behavior is that the user need only enter the one-time password generated by the security token; the product will successfully authenticate the user when no Active Directory password is provided. This reduces two-factor authentication into one-factor authentication (i.e. just the one-time password generated using the security token). |
Impact
An attacker with access to a user's authentication token or current code could login to a system without needing the user's Active Directory password credentials. |
Solution
Update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 3.5 | AV:N/AC:M/Au:S/C:P/I:N/A:N |
| Temporal | 2.7 | E:POC/RL:OF/RC:C |
| Environmental | 4.1 | CDP:LM/TD:M/CR:H/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Michael Schoenbach and Luke Sullivan for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | None |
| Date Public: | 2013-12-13 |
| Date First Published: | 2014-01-09 |
| Date Last Updated: | 2014-01-09 14:30 UTC |
| Document Revision: | 18 |