[CVEID]: CVE-2019-12887 [PRODUCT]: KeyIdentity LinOTP [VERSION]: all versions before 2.10.5.3 [PROBLEMTYPE]: CWE-305 [REFERENCES]: https://linotp.org/linotp-hotfix-autoresync.html https://linotp.org/CVE-2019-12887.txt [DESCRIPTION]: # CVE-2019-12887 - Replay vulnerability in LinOTP with auto resynchronization enabled for TOTP token ## Severity KeyIdentity rates the severity level of this vulnerability as **critical** (Scale: critical, high, moderate, low) ## Risk Assessment We have reproduced and fixed a possible replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time. This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected. ## Vulnerability This vulnerability exists in all versions of LinOTP up to and including 2.10.5.2. It only affects TOTP tokens with activated automatic resynchronization. Automatic resynchronization is deactivated by default. ## Risk Mitigation To address this issue we recommend to update LinOTP to 2.10.5.3 If you can not upgrade immediately, you can deactivate the automatic resynchronization (Auto Resync) to deactivate the vulnerable code path. ## Fix LinOTP 2.10.5.3 fixes this security flaw. You can download packages for the fixed version at: #### Debian 8 jessie LinOTP version 2.10.5.3: https://www.linotp.org/apt/debian/dists/jessie/linotp/all/linotp_2.10.5.3-1_all.deb #### Debian 9 stretch LinOTP version 2.10.5.3: https://www.linotp.org/apt/debian/dists/stretch/linotp/all/linotp_2.10.5.3-1_all.deb SVA customers can use the integrated update mechanisms to update to the newest version of LinOTP. The patch is also available via GitHub: [https://github.com/LinOTP/LinOTP](https://github.com/LinOTP/LinOTP/commit/6d28d93af59d2ce0d844a6a3282148064efc6ad8) ## Acknowledgment This issue was diagnosed and reported by Sébastien Foutrel. We thank Mr. Foutrel for his valuable input. [ASSIGNINGCNA]: MITRE