Project

General

Profile

Actions

Bug #12786

closed

MFA auth allows reveal of other admins PIN and INIT-SECRET

Added by Aaron Shaffer almost 3 years ago. Updated almost 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

I have MFA working in pfSense with Google Authenticator but I just noticed what I consider to me a major security flaw: any admin can reveal any other admin's PIN and INIT-SECRET.

This allows for any admin to easily impersonate any other admin. This means that it is not possible to be 100% sure that activity undertaken by any given admin was actually done by that admin. This makes pfSense non-complaint with basic security requirements for NIST/CMMC and probably many other security frameworks with similar requirements to tie activity to a specific individual.

I suspect this was maybe just overlooked? A quick fix would be to simply make it impossible to reveal another admin's PIN or Init-Secret or both.

Thank you for your help!
Aaron

Actions

Also available in: Atom PDF