Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failcounter increments on every token without a PIN when the user= arg only has a <space> #1227

Closed
renini opened this issue Sep 7, 2018 · 1 comment

Comments

@renini
Copy link
Contributor

renini commented Sep 7, 2018

The failcounter increments on every token without a PIN when the user= parameter just has a .
In our case this resulted basically in a denial-of-service of our two factor authentication system, as by default any fail counter over 10 will lock the token out.

What did you try to do?

Have tokens without PIN, for example in our setup we have HOTP, TOTP and VASCO tokens without PIN.
Then a request with a user= will increment the failcounter for all these tokens.

For example with httpie:
http http://localhost:5000/validate/check "pass=" "user= "

Or with curl:
curl http://localhost:5000/validate/check --data "pass=&user= "

This will return: "wrong otp value" and increment all failcounters by 1.

What outcome did you expect?

Since the user= parameter does not match any user in privacyidea with a token, i was expecting it to just deny/drop the request.

What outcome did you experience?

All tokens verifications were blocked because all failcounters where incremented to their current max of 10. And any valid check would output the following "matching 1 tokens, Failcounter exceeded".

Configuration

Tested on privacyIDEA 2.22 and 2.23.1.
Debian stable, virtualenv.

Extra information

I'm suspecting something wrong in the logic of privacyidea/lib/token.py#L2205, so that this is matching all tokens without a PIN.

    elif pin_matching_token_list:
        # We did not find a valid token and no challenge.
        # But there are tokens, with a matching pin.
        # So we increase the failcounter. Return failure.
        for tokenobject in pin_matching_token_list:
            tokenobject.inc_failcount()
            reply_dict["message"] = "wrong otp value"
@renini renini changed the title Failcounter increments on every token without a PIN when the user= parameter just has a <space> Failcounter increments on every token without a PIN when the user= arg only has a <space> Sep 7, 2018
@cornelinux
Copy link
Member

Thanks for pointing out. We send you a patch.

cornelinux added a commit that referenced this issue Sep 7, 2018
cornelinux added a commit that referenced this issue Sep 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants