Security Advisory WSO2-2021-1459
- Former user (Deleted)
Published: 9th May 2022
Version: 1.0.0
Severity: Medium
CVSS Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
AFFECTED PRODUCTS
WSO2 API Manager : 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
WSO2 IS as Key Manager : 5.9.0 , 5.10.0
WSO2 Identity Server : 5.9.0 , 5.10.0 , 5.11.0
OVERVIEW
Improper authentication in the TOTP Rest API.
DESCRIPTION
TOTP API can be accessed using the user username and the password of a user, due to the improper authentication in the TOTP Rest API.
IMPACT
This vulnerability only impacts authentication flows where TOTP authenticator is used. Additionally, in order to leverage this vulnerability a malicious actor should have the valid username and password of the targeted victim. If such information could be obtained, a malicious actor can invoke the TOTP endpoint using the username and password of the victim. Doing so, the malicious actor could get the TOTP code which can be used to bypass the TOTP authentication.
SOLUTION
You may apply the relevant fixes to the product based on the public fixes as given below:
- https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/155
- https://github.com/wso2/identity-api-user/pull/131
- https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/156
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.