[Security-news] TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
security-news at drupal.org
security-news at drupal.org
Wed Jun 27 18:25:41 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-044
Project: TFA Basic plugins [1]
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness
Description:
The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or
sms.
The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.
This vulnerability is mitigated by the fact that the site must be configured
to use SMS to deliver one-time login codes which is an uncommon
configuration.
Solution:
* If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic
7.x-1.1 [3]
Also see the TFA Basic plugins [4] project page.
Reported By:
* Greg Knaddison [5] of the Drupal Security Team
Fixed By:
* Greg Knaddison [6] of the Drupal Security Team
* Ben Jeavons [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa_basic
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa_basic/releases/7.x-1.1
[4] https://www.drupal.org/project/tfa_basic
[5] https://www.drupal.org/user/36762
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/91990
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list