logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-0227 devise-two-factor

Package

Manager: gem
Name: devise-two-factor
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Devise-Two-Factor vulnerable to brute force attacks ### Advisory withdrawn The backing CVE has been rejected Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks. ### Impact If a user's username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised. ### Patches Devise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It's recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below. #### Mitigations 1. Use the `lockable` strategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information. 2. Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is [rack-attack](https://rubygems.org/gems/rack-attack). 3. When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message. ### Acknowledgements Christian Reitter ([Radically Open Security](https://www.radicallyopensecurity.com/)) and Chris MacNaughton ([Centauri Solutions](https://centauri.solutions))

Metadata

Created: 2024-01-12T15:13:05Z
Modified: 2024-03-20T15:34:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-chcr-x7hc-8fp8/GHSA-chcr-x7hc-8fp8.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-chcr-x7hc-8fp8
Finding: N/A
Auto approve: 0