Headline
Ubuntu Security Notice USN-7050-1
Ubuntu Security Notice 7050-1 - Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled generating multi-factor authentication codes. An attacker could possibly use this issue to generate valid multi-factor authentication codes.
==========================================================================
Ubuntu Security Notice USN-7050-1
October 01, 2024
ruby-devise-two-factor vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Devise-Two-Factor.
Software Description:
- ruby-devise-two-factor: Barebones two-factor authentication with Devise
Details:
Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor
incorrectly handled one-time password validation. An attacker could
possibly use this issue to intercept and re-use a one-time password.
(CVE-2021-43177)
Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled
generating multi-factor authentication codes. An attacker could possibly
use this issue to generate valid multi-factor authentication codes.
(CVE-2024-8796)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
ruby-devise-two-factor 4.0.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ruby-devise-two-factor 3.1.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7050-1
https://ubuntu.com/security/notices/USN-7050-1
CVE-2021-43177, CVE-2024-8796
Related news
### Summary Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226). Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes. ### Remediation Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer. If upgrading is not possible, you can override the default `otp_secret_length` attribute in the model when configuring `two_factor_authenticable` and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long. After upgrading or implementing the workaround, applications using Devise-Two-Fac...