GHSA-CHCR-X7HC-8FP8
Vulnerability from github – Published: 2024-01-12 15:13 – Updated: 2024-03-20 15:34
VLAI?
Summary
Devise-Two-Factor vulnerable to brute force attacks
Details
Advisory withdrawn
The backing CVE has been rejected
Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks.
Impact
If a user's username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised.
Patches
Devise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It's recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below.
Mitigations
- Use the
lockablestrategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information. - Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is rack-attack.
- When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message.
Acknowledgements
Christian Reitter (Radically Open Security) and Chris MacNaughton (Centauri Solutions)
Severity ?
5.0 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "devise-two-factor"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-0227"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T15:13:05Z",
"nvd_published_at": "2024-01-11T20:15:44Z",
"severity": "MODERATE"
},
"details": "### Advisory withdrawn\nThe backing CVE has been rejected\n\nDevise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm\u0027s (TOTP) inherent entropy limitations, it\u0027s possible for an attacker to bypass the 2FA mechanism through brute-force attacks.\n\n### Impact\n\nIf a user\u0027s username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised.\n\n### Patches\n\nDevise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It\u0027s recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below.\n\n#### Mitigations\n\n1. Use the `lockable` strategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information.\n2. Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is [rack-attack](https://rubygems.org/gems/rack-attack).\n3. When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message.\n\n### Acknowledgements\n\nChristian Reitter ([Radically Open Security](https://www.radicallyopensecurity.com/)) and Chris MacNaughton ([Centauri Solutions](https://centauri.solutions))",
"id": "GHSA-chcr-x7hc-8fp8",
"modified": "2024-03-20T15:34:05Z",
"published": "2024-01-12T15:13:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-chcr-x7hc-8fp8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0227"
},
{
"type": "PACKAGE",
"url": "https://github.com/devise-two-factor/devise-two-factor"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2024-0227.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Devise-Two-Factor vulnerable to brute force attacks",
"withdrawn": "2024-03-19T22:33:55Z"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…