2024-09-18 - Secure Login security advisory - PIN reuse

Owned by Alexander Küken
Sept 24, 2024
2 min read

Overview

App name

Secure Login (2FA)

Advisory Release Date

Sep 18, 2024 

Severity

MEDIUM

Affected Versions

  • Secure Login (2FA) - Jira <= 3.1.4.5

  • Secure Login (2FA) - Confluence <= 3.1.4.5

  • Secure Login (2FA) - Bitbucket <= 3.1.4.5

Fixed Versions

to be announced

Summary of Vulnerability

This advisory discloses a medium-severity security vulnerability in the Secure Login product family. All versions of Secure Login are affected. A customer first reported the vulnerabilities to us. Shortly after, the independent security specialist Christian Flaßkamp gratefully informed us about the issues, too.

The vulnerability described below concerns the possibility of reusing valid 2FA PINs. We have no information that these vulnerabilities have already been actively exploited.

According to our agreement as a vendor, we informed Atlassian beforehand about the vulnerabilities.

Vulnerability:  Reuse of valid PINs

Secure Login does not invalidate used TOTP verification codes after they have been utilized, potentially allowing their reuse within the timeframe of the code's validity. As the TOTP RFC states, this behavior is not permitted and comes with potential security risks.

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

Our internal security consultant calculated that this vulnerability has an overall CVSS score of 5.3, which means it is of medium severity.

There are two possible attack vectors to exploit this vulnerability:

  • Firstly, the attacker can use an over-the-shoulder attack to obtain a valid PIN. If he also possesses the login data, it is possible for him to use this information to log into the system himself during the time window in which the PIN is valid.

  • The second possibility is a man-in-the-middle attack, in which the attacker reads and reuses the valid PIN. With this attack vector, however, it should be noted that a potential attacker with a successful MITA has much easier mechanisms to access the system, e.g., through session hijacking.

Fix

Our team is currently working on a fix for this issue. The challenge is to provide a solution that works reliably with multi-instance installation without negatively affecting performance. As soon as the fix is available, we will inform you in the patch notes and the corresponding marketplace notifications.

What you need to do

You can only mitigate the issue once the patch is provided. Using Secure Login with this issue is still more secure than running your instance without it. If you use a mobile device to log into your instance in public, privacy filter foils are recommended to lower the risk of an over-the-shoulder attack.

Support

If you have any questions or concerns regarding this advisory, please request support at our Service Desk.