tfa 8.x-1.6 | Drupal.org

This is a non-production site

- Drupal Core Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal CMS Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal AI Open limitless possibilities with Drupal AI
- Case Studies Powerful stories that show Drupal solutions in the real world
- Drupal for Government Drupal is the open-source CMS that enables digital transformation of government and increases citizen engagement
- Drupal for Higher Education See why 70% of the world's leading universities chose Drupal
- Drupal for Nonprofit See why Drupal is the open-source CMS choice for some of the world’s most influential nonprofits
- Drupal for eCommerce Natively integrate content and commerce
- Drupal for FinTech Secure and trustworthy FinTech infrastructure
- Drupal for Healthcare Drupal powers systems that are secure, patient-centric and engaging
- Drupal for Media & Publishing Create engaging multi-channel experiences to connect with your audiences - everywhere
- Download Drupal Download Drupal and the extensions you need
- Documentation Full knowledgebase including Drupal 7 resources
- Getting Started Guide to installing Drupal on a server
- Local Development Guide Guide to installing Drupal locally with Docker and DDEV
- Developer Resources Step-by-step guide for learning Drupal
- Drupal User Guide Learn to build with Drupal
- API Complete documentation of Drupal Core APIs
- Modules Extend your project's functionality
- Themes Change your project's look and feel
- Distributions Jumpstart your project with a pre-configured install
- Issues Queue Report issues and contribute improvements
- Security Advisories Stay on top of the latest security alerts and updates
- Find a Drupal Certified Partner Connect with the best Drupal agencies around the world
- Become an Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Find a Hosting Provider Find a hosting provider for your Drupal project
- Find a Migration Partner Get help with your migration to the latest version of Drupal
- Find Training Upskill your Drupal team
- Drupal Steward Ensure your website is protected with Drupal Steward
- About the Community Come for the code, stay for the community
- How to Contribute Get involved in growing and evolving Drupal
- DrupalCon DrupalCon unites experts from around the globe who create ambitious digital experiences. Network, learn, and be inspired
- Events Discover local events, meet-ups, and training
- Jobs / Careers Find opportunities to work in Drupal
- News & Blogs News and stories about Drupal
- Forum Got a question about Drupal? Find answers on the Drupal forums
- Slack Get support and communicate with the global Drupal community
- Newsletters Sign up for Drupal news and manage your subscriptions
- Drupal Swag Shop Get your Drupal branded merch!
- The Drupal Association Learn how we support Drupal's growth and innovation - and how you can help
- Become a Member Become a Ripplemaker and support the Drupal Association
- Become a Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Donate Make a donation to the nonprofit that supports Drupal
- Log in
- Create account
- Try Drupal CMS
- Try hosting

Posted by cmlara on April 3, 2024 at 6:33pm

Security Fix: Replay and Denial of Service vulnerability in HOTP plugin

Impacted versions

Two-factor Authentication (TFA) 8.x-1.x versions prior to 8.x-1.6
Two-factor Authentication (TFA) 2.x versions prior to and including 2.0.0-alpha2

Description

If an incorrect token is entered on the token validation page for a HOTP token the counter would be reset to the equivalent of counter 0.

An incorrectly synchronized token can create a DoS by preventing login if all codes are previously used. A stored counter that does not match a remote token can create an apparent DoS if it is outside the allowed counter window compared to a token actual counter.

Mitigating factors

Since 8.x-1.3 TFA will check token hashes even if the site_hash has been changed.
An attack requires a valid username/password combination to exploit either vulnerability.

The 2.x development branch has been fixed since unrelated work was committed in Switch to spomky-labs/otphp

Impact on previous announced vulnerabilities

8.x-1.3 was announced that the HOTP plugin was not vulnerable however this exploit in combination with a deployment prior to 8.x-1.3 could allow exploitation of the previously announced replay attack with HOTP tokens

Drupal Security Advisory

This issue is published without a security advisory in accordance with the precedent set in preparing the 8.x-1.3 security fix release.

VCS Label

8.x-1.6

Core compatibility

Release type

Short description

Security Fix: Replay and Denial of Service vulnerability in HOTP plugin

Packaged Git sha1

426d5658c76995cb8474de6ee7fe7aaf236b7853

Release files

6593e07efa18dd8507faebdc1867129c

Release file SHA-1 hash

10e3c0d6c8741a7582f5a078b57686acdc1306e0

Release file SHA-256 hash

bb0166fa364d36f4a03ef76a7562f1472c95f5826b4515b28617400e3582f15b

0fe2f7b7647d813e50821a4d3b74e9fa

Release file SHA-1 hash

3b660e25b694fd97d7be777b07ab92b1fd7252f4

Release file SHA-256 hash

b28cbeb891f2861a2edef339a22032ad62085efc8818b59268145f0de2a3cce8