CVE Request: TOTP Replay Attack in Ruby library "devise-two-factor"

[Justin Bull <me () justinbull ca>]

Hello again,

I’d like to request a CVE ID for the following:


== Affected Software: ==

Devise-Two-Factor Authentication (https://github.com/tinfoil/devise-two-factor)
By Tinfoil Security (https://www.tinfoilsecurity.com/)

Devise-two-factor is a minimalist extension to Devise which offers support for two-factor authentication, through the 
TOTP scheme.

This enables Ruby on Rails applications to have strong two-factor authentication in their auth/auth flow.

== Versions Affected: ==

All versions.

== Fixed Versions: ==

None.

== Description of Vulnerability: ==

The library’s use of TOTP for Two-Factor Authentication is not fully compliant with Section 5.2 of RFC 6238[1] and does 
not “burn” a successfully validated OTP.

When the prover (end user) sends a valid OTP to the verifier (web app), the verifier must not accept subsequent 
submissions of the same OTP in that given time-step. That is, in order to maintain the “One-Time” aspect of a One-Time 
Password, it can be used once and only once.

== Impact / Attack: ==

Given an attacker already knows a victim’s credentials, they could "shoulder surf" the victim’s second factor device, 
obtaining the OTP, and login with the known credentials & OTP within the current time-step (a default 30 second 
window). This defeats two-factor authentication for the duration of the time-step.

Alternatively, an attacker could Man-in-The-Middle the connection between the prover and verifier, and replay the OTP & 
credentials within the given time-step. This however is not as much as a concern since, if an attacker can MITM the 
connection, they can just obtain the granted session secret from the response instead.

Although a narrow vulnerability, it remains a valid security issue that’s been explicitly called out in the RFC[1].

== Solution: ==

Use the library’s implicit access to a persistence layer to store “burned” OTPs, preventing multiple uses of an OTP in 
a given time-step.

Proposed fix pending vendor acceptance and release[2].

== Previously Requested: ==

Not to my knowledge.

== Acknowledgements: ==

Thanks to Viliam Holub (https://github.com/vilda) for originally reporting the issue[3].
Thanks to Shane Wilton of Tinfoil Security (https://github.com/ShaneWilton) for validating my suggested solution.

== References:==

[1]: https://tools.ietf.org/html/rfc6238#section-5.2
[2]: https://github.com/tinfoil/devise-two-factor/pull/43
[3]: https://github.com/tinfoil/devise-two-factor/issues/30


Best Regards,

Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail