The failcounter increments on every token without a PIN when the user= parameter just has a .
In our case this resulted basically in a denial-of-service of our two factor authentication system, as by default any fail counter over 10 will lock the token out.
What did you try to do?
Have tokens without PIN, for example in our setup we have HOTP, TOTP and VASCO tokens without PIN.
Then a request with a user= will increment the failcounter for all these tokens.
For example with httpie: http http://localhost:5000/validate/check "pass=" "user= "
Or with curl: curl http://localhost:5000/validate/check --data "pass=&user= "
This will return: "wrong otp value" and increment all failcounters by 1.
What outcome did you expect?
Since the user= parameter does not match any user in privacyidea with a token, i was expecting it to just deny/drop the request.
What outcome did you experience?
All tokens verifications were blocked because all failcounters where incremented to their current max of 10. And any valid check would output the following "matching 1 tokens, Failcounter exceeded".
Configuration
Tested on privacyIDEA 2.22 and 2.23.1.
Debian stable, virtualenv.
Extra information
I'm suspecting something wrong in the logic of privacyidea/lib/token.py#L2205, so that this is matching all tokens without a PIN.
elif pin_matching_token_list:
# We did not find a valid token and no challenge.
# But there are tokens, with a matching pin.
# So we increase the failcounter. Return failure.
for tokenobject in pin_matching_token_list:
tokenobject.inc_failcount()
reply_dict["message"] = "wrong otp value"
The text was updated successfully, but these errors were encountered:
renini
changed the title
Failcounter increments on every token without a PIN when the user= parameter just has a <space>
Failcounter increments on every token without a PIN when the user= arg only has a <space>
Sep 7, 2018
The failcounter increments on every token without a PIN when the user= parameter just has a .
In our case this resulted basically in a denial-of-service of our two factor authentication system, as by default any fail counter over 10 will lock the token out.
What did you try to do?
Have tokens without PIN, for example in our setup we have HOTP, TOTP and VASCO tokens without PIN.
Then a request with a user= will increment the failcounter for all these tokens.
For example with httpie:
http http://localhost:5000/validate/check "pass=" "user= "Or with curl:
curl http://localhost:5000/validate/check --data "pass=&user= "This will return: "wrong otp value" and increment all failcounters by 1.
What outcome did you expect?
Since the user= parameter does not match any user in privacyidea with a token, i was expecting it to just deny/drop the request.
What outcome did you experience?
All tokens verifications were blocked because all failcounters where incremented to their current max of 10. And any valid check would output the following "matching 1 tokens, Failcounter exceeded".
Configuration
Tested on privacyIDEA 2.22 and 2.23.1.
Debian stable, virtualenv.
Extra information
I'm suspecting something wrong in the logic of privacyidea/lib/token.py#L2205, so that this is matching all tokens without a PIN.
The text was updated successfully, but these errors were encountered: