Vulnerability Note VU#612076

VASCO IDENTIKEY Authentication Server contains an authentication bypass vulnerability

Original Release date: 09 Jan 2014 | Last revised: 09 Jan 2014

Overview

VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials.

Description

CWE-305: Authentication Bypass by Primary Weakness

VASCO's IDENTIKEY Authentication Server (IAS) is a product which provides two-factor authentication capability. VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials. The expected behavior of the product is to authenticate a user from a RADIUS client if and only if that user enters a concatenation of his or her Microsoft Active Directory password credentials and a one-time password that is generated by an assigned DIGIPASS security token. The observed behavior is that the user need only enter the one-time password generated by the security token; the product will successfully authenticate the user when no Active Directory password is provided. This reduces two-factor authentication into one-factor authentication (i.e. just the one-time password generated using the security token).

Impact

An attacker with access to a user's authentication token or current code could login to a system without needing the user's Active Directory password credentials.

Solution

Update

VASCO has released an updated version of IDENTIKEY Authentication Server 3.5 to address this vulnerability. VASCO is advising affected users to download the updated version from VASCO My Maintenance site.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
VascoAffected06 Nov 201309 Dec 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N
Temporal 2.7 E:POC/RL:OF/RC:C
Environmental 4.1 CDP:LM/TD:M/CR:H/IR:ND/AR:ND

References

Credit

Thanks to Michael Schoenbach and Luke Sullivan for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 13 Dec 2013
  • Date First Published: 09 Jan 2014
  • Date Last Updated: 09 Jan 2014
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.