New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failcounter increments on every token without a PIN when the user= arg only has a <space> #1227

Closed
renini opened this Issue Sep 7, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@renini
Copy link
Contributor

renini commented Sep 7, 2018

The failcounter increments on every token without a PIN when the user= parameter just has a .
In our case this resulted basically in a denial-of-service of our two factor authentication system, as by default any fail counter over 10 will lock the token out.

What did you try to do?

Have tokens without PIN, for example in our setup we have HOTP, TOTP and VASCO tokens without PIN.
Then a request with a user= will increment the failcounter for all these tokens.

For example with httpie:
http http://localhost:5000/validate/check "pass=" "user= "

Or with curl:
curl http://localhost:5000/validate/check --data "pass=&user= "

This will return: "wrong otp value" and increment all failcounters by 1.

What outcome did you expect?

Since the user= parameter does not match any user in privacyidea with a token, i was expecting it to just deny/drop the request.

What outcome did you experience?

All tokens verifications were blocked because all failcounters where incremented to their current max of 10. And any valid check would output the following "matching 1 tokens, Failcounter exceeded".

Configuration

Tested on privacyIDEA 2.22 and 2.23.1.
Debian stable, virtualenv.

Extra information

I'm suspecting something wrong in the logic of privacyidea/lib/token.py#L2205, so that this is matching all tokens without a PIN.

    elif pin_matching_token_list:
        # We did not find a valid token and no challenge.
        # But there are tokens, with a matching pin.
        # So we increase the failcounter. Return failure.
        for tokenobject in pin_matching_token_list:
            tokenobject.inc_failcount()
            reply_dict["message"] = "wrong otp value"

@renini renini changed the title Failcounter increments on every token without a PIN when the user= parameter just has a <space> Failcounter increments on every token without a PIN when the user= arg only has a <space> Sep 7, 2018

@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Sep 7, 2018

Thanks for pointing out. We send you a patch.

@cornelinux cornelinux closed this Sep 7, 2018

cornelinux added a commit that referenced this issue Sep 7, 2018

cornelinux added a commit that referenced this issue Sep 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment