A bug in the passOnNoUser policy allows authentication with an arbitrary password.
- Affected version: up to privacyIDEA 2.11.2
- Propability: Medium
- Security Severity: High
The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user store authentication is immediately successful. This is useful in special scenarios, where the Application has several levels of authentication and privacyIDEA is just the second level. Users that do not exist in privacyIDEA will only authenticate with the first level and users, that have an account in privacyIDEA will need to authenticate with the second level.
The Bug: If the policy passOnNoUser is set, it is not checked, if the user exists. I.e. even users that do exist are successfully authenticated, without checking their OTP value or password.
You need to disable a policy containing the passOnNoUser action or remove the passOnNoUser action from you policies immediately.
You should update to version 2.11.3 which is released today.