![]() ![]() An attacker with an allowed IP address could potentially use this vulnerability to replay an OTP.” “YubiKey Validation Server implementers may add IP addresses to the sync pool to enable syncing between multiple validation servers. The default configuration does not define any allowed sources for the sync API, meaning all attempts to call the sync API will be denied,” the advisory says. ![]() However, only sources that are defined in the YKVAL_ALLOWED_SYNC_POOL are allowed to call the sync API, which limits the exposure of this issue. “Sync does not perform consistent validation on received parameters prior to executing database queries. In the other scenario, an attacker may be able to replay one-time passwords by adding an allowed IP address to the pool of addresses that the Validation Server will sync with. An attacker could abuse this issue by submitting a large entry to be input into the database, which could cause a denial of service.” “Verify performs basic validation on all fields prior to executing database queries but does not check length. The level of impact of the SQL injection varies depending on the configuration of the YubiKey Validation Server instance,” Yubico said in its advisory. Insufficient input validation could allow an attacker to perform SQL injection attacks. YubiKey Validation Server does not have sufficient input validation implemented in the verify and sync APIs. “By default, the verify endpoint is the only API exposed without an IP whitelist. The two weaknesses affect two of the four API endpoints that can be exposed by the YubiKey Validation Server, the verify and sync endpoints. The server can be used by enterprises or developers to build their own self-hosted OTP validation services. ![]() Rather, the bugs lie in the Validation Server, an open-source project that implements the Yubico API protocol and enables organizations to validate one-time passwords (OTP). The vulnerabilities do not affect the YubiCloud hosted service or the hardware Yubikeys that are used for two-factor authentication. Yubico has released a mitigation for an interesting pair of bugs in its YubiKey Validation Server, one of which could be used by an attacker to replay one-time passwords in some situations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |