passOnNoUser – privacyID3A https://www.privacyidea.org flexible, Open Source Multi Factor Authentication (2FA) Wed, 04 May 2016 12:48:42 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://www.privacyidea.org/wp-content/uploads/2016/06/cropped-only-logo-white-background-32x32.png passOnNoUser – privacyID3A https://www.privacyidea.org 32 32 Bug in passOnNoUser policy allows arbitrary authentication https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/ https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/#comments Wed, 04 May 2016 12:48:42 +0000 https://www.privacyidea.org/?p=923 A bug in the passOnNoUser policy allows authentication with an arbitrary password.

  • Affected version: up to privacyIDEA 2.11.2
  • Propability: Medium
  • Security Severity: High

Technical Background

The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user store authentication is immediately successful. This is useful in special scenarios, where the Application has several levels of authentication and privacyIDEA is just the second level. Users that do not exist in privacyIDEA will only authenticate with the first level and users, that have an account in privacyIDEA will need to authenticate with the second level.

The Bug: If the policy passOnNoUser is set, it is not checked, if the user exists. I.e. even users that do exist are successfully authenticated, without checking their OTP value or password.

Advisory

You need to disable a policy containing the passOnNoUser action or remove the passOnNoUser action from you policies immediately.

Fix

You should update to version 2.11.3 which is released today.

]]> https://www.privacyidea.org/bug-passonnouser-policy-allows-arbitrary-authentication/feed/ 1