Vulnerability Note VU#612076
VASCO IDENTIKEY Authentication Server contains an authentication bypass vulnerability
VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials.
CWE-305: Authentication Bypass by Primary Weakness
VASCO's IDENTIKEY Authentication Server (IAS) is a product which provides two-factor authentication capability. VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials. The expected behavior of the product is to authenticate a user from a RADIUS client if and only if that user enters a concatenation of his or her Microsoft Active Directory password credentials and a one-time password that is generated by an assigned DIGIPASS security token. The observed behavior is that the user need only enter the one-time password generated by the security token; the product will successfully authenticate the user when no Active Directory password is provided. This reduces two-factor authentication into one-factor authentication (i.e. just the one-time password generated using the security token).
An attacker with access to a user's authentication token or current code could login to a system without needing the user's Active Directory password credentials.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Vasco||Affected||06 Nov 2013||09 Dec 2013|
CVSS Metrics (Learn More)
Thanks to Michael Schoenbach and Luke Sullivan for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 13 Dec 2013
- Date First Published: 09 Jan 2014
- Date Last Updated: 09 Jan 2014
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.