Headline
CVE-2023-43320: tfa: add data for rate limiting and blocking · proxmox/proxmox-rs@50b793d
An issue in Proxmox Server Solutions GmbH Proxmox VE v.5.4 thru v.8.0, Proxmox Backup Server v.1.1 thru v.3.0, and Proxmox Mail Gateway v.7.1 thru v.8.0 allows a remote authenticated attacker to escalate privileges via bypassing the two-factor authentication component.
Commit
Permalink
Browse files
Browse the repository at this point in the history
tfa: add data for rate limiting and blocking
TfaUserData uses `#[serde(deny_unknown_fields)]`, so we add this now, but using it will require explicitly enabling it.
If the TOTP count is high, the user should be locked out of TOTP entirely until they use a recovery key to reset the count.
If a user’s TFA try count is too high, they should get rate limited.
In both cases they should receive some kind of notification.
Signed-off-by: Wolfgang Bumiller [email protected]
- Loading branch information
Related news
Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.