Executive Summary

Summary
Title VASCO IDENTIKEY Authentication Server contains an authentication bypass vulnerability
Informations
Name VU#612076 First vendor Publication 2014-01-09
Vendor VU-CERT Last vendor Modification 2014-01-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Cvss Base Score 3.5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#612076

VASCO IDENTIKEY Authentication Server contains an authentication bypass vulnerability

Original Release date: 09 Jan 2014 | Last revised: 09 Jan 2014

Overview

VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials.

Description

CWE-305: Authentication Bypass by Primary Weakness

VASCO's IDENTIKEY Authentication Server (IAS) is a product which provides two-factor authentication capability. VASCO IDENTIKEY Authentication Server version 3.4.x contains an authentication bypass vulnerability which could allow an attacker to login to a system without needing the user's Active Directory password credentials. The expected behavior of the product is to authenticate a user from a RADIUS client if and only if that user enters a concatenation of his or her Microsoft Active Directory password credentials and a one-time password that is generated by an assigned DIGIPASS security token. The observed behavior is that the user need only enter the one-time password generated by the security token; the product will successfully authenticate the user when no Active Directory password is provided. This reduces two-factor authentication into one-factor authentication (i.e. just the one-time password generated using the security token).

Impact

An attacker with access to a user's authentication token or current code could login to a system without needing the user's Active Directory password credentials.

Solution

Update

VASCO has released an updated version of IDENTIKEY Authentication Server 3.5 to address this vulnerability. VASCO is advising affected users to download the updated version from VASCO My Maintenance site.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
VascoAffected06 Nov 201309 Dec 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base3.5AV:N/AC:M/Au:S/C:P/I:N/A:N
Temporal2.7E:POC/RL:OF/RC:C
Environmental4.1CDP:LM/TD:M/CR:H/IR:ND/AR:ND

References

  • http://www.vasco.com/products/server_products/identikey/ik_auth/identikey-authentication-server.aspx
  • http://www.vasco.com/support/support/my_maintenance/default.aspx
  • http://cwe.mitre.org/data/definitions/305.html

Credit

Thanks to Michael Schoenbach and Luke Sullivan for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:Unknown
  • Date Public:13 Dec 2013
  • Date First Published:09 Jan 2014
  • Date Last Updated:09 Jan 2014
  • Document Revision:18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/612076

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-01-15 21:27:55
  • Multiple Updates
2014-01-13 21:24:37
  • Multiple Updates
2014-01-09 17:19:08
  • First insertion