Problem/Motivation

Clarifying information:
This vulnerability is a high complexity attack, requiring active user interaction and the ability for an attacker to inject a valid session ID known to the attacker onto a victims prior to the the victim attempting to log in with traditional user+password followed by the ability to interface with, exfiltrate from or otherwise be able to calculate the two-factor authentication request page response. The attacker would still be compelled to present a valid second factor credential to complete the login and must do so prior to the expiration of a 5 minute validity timer.

Methods for either setting the session or obtaining the response are not defined within the vulnerability report as they are out of scope of the flaw.

While the Drupal Security Team calculator scores this as Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
a CVSS:4.0 score would be closer to Low: 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:D/RE:L/U:Clear

Problem/Motivation

Public followup in 2 weeks for SA-CONTRIB-2024-043 to publish tests and associate materials.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork tfa-3478361

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

cmlara created an issue. See original summary.

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented
Status: Postponed » Needs work

Two weeks passed.

Please publish tests and associated materials.

cmlara opened merge request !97

cmlara’s picture

cmlara
he/him
commented

Thanks you for the ping.

Pushed the 8.x-1.x tests and created MR97.

Will return with issue notes and 2.x tests, leaving as NW for those.

cmlara’s picture

cmlara
he/him
commented
Issue summary: View changes

Added some clarifying information to the IS.

  • cmlara committed a167ccf4 on 8.x-1.x 
    Issue #3478361: Public followup for SA-CONTRIB-2024-043

cmlara opened merge request !114

cmlara’s picture

cmlara
he/him
commented
Status: Needs work » Needs review
Related issues: +#3392427: Use an EventSubscriber to process one time login links

The Password Reset tests were handled in #3392427: Use an EventSubscriber to process one time login links which was the primary hold on this issue for 2.x.

Manual rebase on head, with corrections for accidental rollback.

  • cmlara committed c5d96c73 on 2.x 
    Issue #3478361 by cmlara: Public followup for SA-CONTRIB-2024-043
cmlara’s picture

cmlara
he/him
commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.