A bug in the passOnNoUser policy allows authentication with an arbitrary password.
- Affected version: up to privacyIDEA 2.11.2
- Propability: Medium
- Security Severity: High
Technical Background
The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user store authentication is immediately successful. This is useful in special scenarios, where the Application has several levels of authentication and privacyIDEA is just the second level. Users that do not exist in privacyIDEA will only authenticate with the first level and users, that have an account in privacyIDEA will need to authenticate with the second level.
The Bug: If the policy passOnNoUser is set, it is not checked, if the user exists. I.e. even users that do exist are successfully authenticated, without checking their OTP value or password.
Advisory
You need to disable a policy containing the passOnNoUser action or remove the passOnNoUser action from you policies immediately.
Fix
You should update to version 2.11.3 which is released today.
One thought on “Bug in passOnNoUser policy allows arbitrary authentication”