|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2024-8796 (devise-two-factor): Devise-Two-Factor Authentication Uses Insufficient |
| 4 | + Default OTP Shared Secret Length' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- devise-two-factor |
| 8 | +advisory: |
| 9 | + gem: devise-two-factor |
| 10 | + cve: 2024-8796 |
| 11 | + ghsa: qjxf-mc72-wjr2 |
| 12 | + url: https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 |
| 13 | + title: Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret |
| 14 | + Length |
| 15 | + date: 2024-09-17 |
| 16 | + description: | |
| 17 | + ### Summary |
| 18 | + Under the default configuration, Devise-Two-Factor version |
| 19 | + >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits |
| 20 | + instead of the 128-bit minimum defined by |
| 21 | + [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226). |
| 22 | + Using a shared secret shorter than the minimum to generate a |
| 23 | + multi-factor authentication code could make it easier for an |
| 24 | + attacker to guess the shared secret and generate valid TOTP codes. |
| 25 | +
|
| 26 | + ### Remediation |
| 27 | + Devise-Two-Factor should be upgraded to version v6.0.0 as soon |
| 28 | + as possible. After upgrading, the length of shared secrets and |
| 29 | + TOTP URLs generated by the library will increase since the new |
| 30 | + shared secrets will be longer. |
| 31 | +
|
| 32 | + If upgrading is not possible, you can override the default |
| 33 | + `otp_secret_length` attribute in the model when configuring |
| 34 | + `two_factor_authenticable` and set it to a value of at least |
| 35 | + 26 to ensure newly generated shared secrets are at least |
| 36 | + 128-bits long. |
| 37 | +
|
| 38 | + After upgrading or implementing the workaround, applications |
| 39 | + using Devise-Two-Factor may wish to migrate users to the new |
| 40 | + OTP length to provide increased protection for those accounts. |
| 41 | + Turning off OTP for users by setting `otp_required_for_login` |
| 42 | + to false is not recommended since it would leave accounts |
| 43 | + unprotected. However, you may wish to implement application |
| 44 | + logic that checks the length of a user's shared secret and |
| 45 | + prompts users to re-enroll in OTP. |
| 46 | +
|
| 47 | + ### Background |
| 48 | + Devise-Two-Factor uses [ROTP](https://github.com/mdp/rotp) to |
| 49 | + generate shared secrets for TOTP. In ROTP < 5.0.0, the first |
| 50 | + argument to the "ROTP::Base32#random_base32" function represented |
| 51 | + the number of bytes to read from SecureRandom which were then |
| 52 | + returned as a base32-encoded string. In ROTP 5.1.0, this function |
| 53 | + was changed so that the first argument now represents the length |
| 54 | + of the base32-encoded string returned by the function instead |
| 55 | + of the number of bytes to read from SecureRandom resulting in |
| 56 | + a shorter key being generated for the same input value. |
| 57 | + (https://github.com/mdp/rotp/commit/c6c24ab894e7c2b1579d45ac82c41454d1e98227). |
| 58 | + cvss_v3: 5.3 |
| 59 | + cvss_v4: 6.0 |
| 60 | + unaffected_versions: |
| 61 | + - "< 2.2.0" |
| 62 | + patched_versions: |
| 63 | + - ">= 6.0.0" |
| 64 | + related: |
| 65 | + url: |
| 66 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-8796 |
| 67 | + - https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 |
| 68 | + - https://github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19 |
| 69 | + - https://github.com/advisories/GHSA-qjxf-mc72-wjr2 |
| 70 | +--- |
0 commit comments