View online: https://www.drupal.org/sa-contrib-2018-044
Project: TFA Basic plugins [1] Version: 7.x-1.0 Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness
Description: The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.
The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.
This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.
Solution: * If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1 [3]
Also see the TFA Basic plugins [4] project page.
Reported By: * Greg Knaddison [5] of the Drupal Security Team
Fixed By: * Greg Knaddison [6] of the Drupal Security Team * Ben Jeavons [7] of the Drupal Security Team
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa_basic [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tfa_basic/releases/7.x-1.1 [4] https://www.drupal.org/project/tfa_basic [5] https://www.drupal.org/user/36762 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/91990 [8] https://www.drupal.org/u/greggles