Headline
CVE-2023-40260: Unauthorized MFA Code Delivery in EmpowerID
EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account’s email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about “some unknown processing of the component Multi-Factor Authentication Code Handler” and thus cannot be correlated with other vulnerability information.
Full Disclosure mailing list archives
From: “Patel, Nirav” <Nirav.Patel () empowerid com>
Date: Wed, 26 Jul 2023 21:17:15 +0000
Severity: High
Description:
An identified security flaw is present in EmpowerID versions V7.205.0.0 and prior versions, causing the system to mistakenly send Multi-Factor Authentication (MFA) codes to unintended email addresses. To exploit this vulnerability, an attacker would need to have access to valid and breached login details, including a username and password.
This vulnerability’s root cause lies in insufficient verification of previously registered MFA during the process of delivering MFA codes. A bad actor possessing the correct login details for an EmpowerID user account can abuse this weakness by changing the email address associated with the user’s account to an alternate one under their control. Consequently, the MFA codes that should be sent to the legitimate user are instead delivered to the malicious party’s email.
By successfully taking advantage of this vulnerability, an attacker could circumvent MFA safeguards and potentially gain unpermitted access to the victim’s account. Such a security breach could enable unauthorized activities, data breaches, or the exposure of confidential information within the impacted EmpowerID system.
Affected Versions:
* EmpowerID versions V7.205.0.0 and earlier.
Actions Performed:
EmpowerID has released a patch to version V7.205.0.1 and older versions, which addresses this vulnerability. EmpowerID has contacted customers which are known to use EmpowerID’s MFA. It is highly recommended that all customers upgrade to the latest version immediately to mitigate the risk, or contact EmpowerID for patch details.
[signature_889433285]http://empowerid.com/\ Nirav Patel
[signature_1232658466] nirav.patel () empowerID com<mailto:nirav.patel () empowerID com> [signature_1909062425] www.empowerID.comhttp://empowerid.com/\
[signature_729000866] http://www.youtube.com/user/empowerID\ [signature_2001009733]
https://twitter.com/EmpowerID\ [signature_1070999265] https://www.facebook.com/220903377569\
[signature_679156352] https://www.linkedin.com/company/85780\
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Unauthorized MFA Code Delivery in EmpowerID Patel, Nirav (Aug 01)