Insufficient entropy in loginHash generation

Open on Drupal.org →

Created on 25 February 2025, 2 months ago

Problem/Motivation

This module may have an insufficient entropy issue with hash generation

The impact here is pretty minimal, at best it would allow a replay attack but would only be possible within a 5 min window https://git.drupalcode.org/project/tfa/-/blob/2.x/src/Controller/TfaLogi...

Steps to reproduce

You can see this vulnerability by:
https://git.drupalcode.org/project/tfa/-/blob/2.x/src/TfaLoginTrait.php?...
Of the three items used for entropy, 2 of them are publicly available information (username, last login time) for anyone with 'view user profiles' permission.

Proposed resolution

Also use the site's privatekey and hash salt?

Remaining tasks

User interface changes

None

API changes

None

Data model changes

Prior Work

This report was initially reported opened via the Drupal Security Team tracker by @larowlan on Wed, 2025-02-19 at 23:13 UTC.

https://security.drupal.org/node/182712 (Note: Only maintainers, the security team and reporters have access to this link, do not report access denied errors.)

Initial code review indicate that that the 3rd entropy source would be known only if the user had access to the data as stored in the database.

Questions were raised regarding the User Login time accessibility, however no full audit was performed.

For threat evaluation it is being assumed all 3 conditions are available to an attacker (a copy of the Drupal database has been acquired).

Addtionaly protection against any exploit is provided via data stored in the current session requiring that an attacker would have to either present the first factor credentials through the login process (the hash is irrelevant as a new hash can be generated) or that an exploit path described in SA-CONTRIB-2024-043 be present in versions prior to 8.x-1.9.

An additional several days were taken to consider alternative fault paths in 8.x-1.x and 2.x branches prior to publication, none were apparent.

Cleared for public disclosure.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

!124Insufficient entropy in loginHash generation
Merged
🇺🇸United States cmlara
updated 9 days ago
!123Insufficient entropy in loginHash generation
Merged
🇺🇸United States cmlara
updated 9 days ago

Comments & Activities

Issue created by @cmlara
Comment 2 months ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
cmlara → credited larowlan → .
Comment 2 months ago →
🇺🇸United States cmlara
Crediting reporter.

We appreciate that this issue was submitted through the private tracker for evaluation prior to public disclosure.
Merge request !123Issue #3508771 by cmlara, larowlan: Insufficient entropy in getLoginHash generation → (Merged) created by cmlara
Comment 18 days ago →
🇺🇸United States cmlara

Comment 9 days ago →

cmlara → committed e20be33d on 2.x

Issue #3508771 by cmlara, larowlan: Insufficient entropy in getLoginHash...

Merge request !124Issue #3508771 by cmlara, larowlan: Insufficient entropy in getLoginHash generation → (Merged) created by cmlara
Comment 9 days ago →
🇺🇸United States cmlara
Committed to dev on 2.x and 1.x.

Thank you again for the report on this issue.

Comment 9 days ago →

cmlara → committed fab00b7d on 8.x-1.x

Issue #3508771 by cmlara, larowlan: Insufficient entropy in getLoginHash...

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024