Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36071: TOTP Generate Recovery Codes MFA · Issue #965 · drakkan/sftpgo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user’s password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

CVE
Open in Source
#sql#web#auth

Area
Web Client MFA /web/client/mfa

Summary
Not sure if this is the expected behaviour, but a user required to use MFA has the option to generate recovery codes
even before configuring and enabling it on account . This option is available after logging in with username / password. This means an attacker that knows the user’s password could potentially generate a bunch of recovery codes bypassing 2FA after it enabled on account at a later date.

Steps to reproduce as Admin
As an Admin create a new account for a user with a password but enable requirement for MFA.

Steps to reproduce the behavior user:

The user logs into the webclient and will get this page

on all other options when the user clicks they get image above

Scroll to bottom and click Generate codes and store it for later.

After enable 2FA

Expected behavior

Options to generate codes should not be visible until 2FA has been enabled on account i would have thought?

System info :
OS Name: Redhat
OS Version: 9
sftpgo version: SFTPGo 2.3.3-665016e-2022-08-05T08:54:48Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite +portable
sftpgo install source: Yum

Related news

GHSA-54qx-8p8w-xhg8: SFTPGo vulnerable to recovery codes abuse

### Impact SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from v2.2.0 to v2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. ### Patches Fixed in v2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. ### Workarounds Regenerate recovery codes after enabling two-factor authentication. ### References https://github.com/drakkan/sftpgo/issues/965

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE