Re: CVE request for a Drupal contributed module

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2013 12:22 PM, Forest Monsen wrote:
> Hi Kurt, regarding CVE assignment and your request for
> clarification at 
> http://www.openwall.com/lists/oss-security/2013/05/16/2:
>
> On Wed, May 15, 2013 at 6:41 PM, Kurt Seifried
> <kseifried () redhat com> wrote:
>
> > This sounds like two separate issues:
> [...]
> > can you send me the code patches fixing this so I can make sure
> > it gets the correct SPLIT/MERGE treatment? Thanks.
>
> Yep - Diffs for the commits that fixed both of these issues are
> at:
>
> Drupal 6:
> http://drupalcode.org/project/ga_login.git/commitdiff/dd04ea3 
> Drupal 7:
> http://drupalcode.org/project/ga_login.git/commitdiff/c365097
>
> For the first issue,
>
>
> > Accidental removal of account configuration.
> >
> > In certain scenarios, Google Authenticator login incorrectly 
> > determines the user's account name. The change in account name
> > could cause the two-factor authentication for existing accounts
> > to be lost, allowing users to log in using just username and
> > password.
> >
> > This vulnerability is mitigated by the fact while Google
> > Authenticator login's additional verification is by-passed, a
> > username and password are still required to log in.
>
> It looks like the maintainer now concatenates a "Realm" (site name)
> and suffix with the Drupal username to form the GA username. Any
> inconsistency there will invalidate earlier credentials.

Please use CVE-2013-4177 for this issue.

> For the second,
>
> One Time Password (OTP) replay
> > If an attacker can intercept a login request with a username,
> > password and OTP, an attacker could use this same data again to
> > login to the website.
> >
> > This vulnerability is mitigated by the fact that an attacker who
> > can intercept a login request with this level of detail can
> > usually also intercept the ongoing session identifying token.
>
> It looks to me like the maintainer now implements a skew value to
> either (in the case of a time-based one-time password token) review
> only a certain range of timed tokens on either side, or (in the
> case of an HMAC-based one-time password token) to again test a
> range of tokens.
>
> I'll copy the Drupal Security Team, in case I haven't understood
> it correctly or if further clarification is necessary. Thanks.

Please use CVE-2013-4178 for this issue.

> Best, Forest


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR83FyAAoJEBYNRVNeJnmTVCgQAMGesZzGhReWut7B2WKjMrz6
lRGEaQxlAnqjtknh8Zitcnf6imdojHlKRbSaY1rxYBus67wNy2zitYsSNxrH7MEd
U5kGWPR8NqyvOi01U/KPiQESFxEpeSBPTEiUruAUIlXMW7kokb5mb+NA49L8HpRH
DL6OGiMa80NyCfaSIDkAvC8Z4lVcYE1zV/68aV3mWkUwKM/uxoFrRlcvplgDLc+0
efQlZg3DFviL+ShIwMq9bItW6Kix71/+gHXfEbNv4R75qHJEbWka6Ts8siMVgR9R
2MwyuksNlnzM5SLuo9NyhVHW5ZqxtA/qs6GTwM8nnKtG0R0HL8AlRvG7VMvyxu3O
ozCj9ZGuWFm3fi1qLTKW6Udq0+VidQ7xf3Xg/c6AQivcdqdhuGgNjaWDNGe5LAdB
UOE9YSs+k+74y/aW+GxVyn14LglkSpzLy+eY8w3JfNWnjF6w9uCeSktIaa9H9/Ko
aa4n2kTPG/+0twHg4gg/rd8Smari4CAkBMzcWB59siZGgTKRBZ3Wu2tPvB0UDMgq
FUPsvU0EjOhLn4SZalc79r4mwBzNozEzDk9GhbmkfHFVQ56cr3+eltc8pZgfVuEw
+mS58xTwwhAeQOz76K7WWQqxcqj5Ow+psoBy23WHTw1VOvkHudE6iZZ73lpWg4E2
nTWskopuCzm2VIotNRbb
=Yftf
-----END PGP SIGNATURE-----