all InfoSec news
Control iD iDSecure passwordCustom Authentication Bypass
Nov. 27, 2023, 4:16 p.m. | Jimi Sebree
Tenable Research Advisories www.tenable.com
An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.
iDS-Core.dll!ControliD.iDSecure.Tools.ServerJWT.Login() allows login via "passwordCustom":
public LoginResult Login(LoginRequest client)
{
[...]
if (client.passwordCustom == null)
{
[...]
}
else
{
if (!(client.passwordCustom == Operators.DesbloqueioGerenciador(ServerJWT.Serial, client.passwordRandom)))
{
throw new DALException(Localization.Translate("InvalidPassword"));
}
operators = …
act attacker authentication authentication bypass bypass bypass vulnerability compute control credentials dll ids idsecure login public tools unauthenticated valid vulnerability
More from www.tenable.com / Tenable Research Advisories
Fluent Bit Memory Corruption Vulnerability
2 weeks, 1 day ago |
www.tenable.com
Cross-Site Scripting in WordPress RSS Aggregator Plugin
2 weeks, 4 days ago |
www.tenable.com
Solidus Stored Cross-Site Scripting
2 weeks, 4 days ago |
www.tenable.com
Delta Electronics DIAEnergie CEBC.exe Multiple Vulnerabilities
3 weeks, 5 days ago |
www.tenable.com
Approach.App Multiple Vulnerabilities
1 month, 1 week ago |
www.tenable.com
Path Traversal Affecting Multiple CData Products
1 month, 3 weeks ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
CyberSOC Technical Lead
@ Integrity360 | Sandyford, Dublin, Ireland
Cyber Security Strategy Consultant
@ Capco | New York City
Cyber Security Senior Consultant
@ Capco | Chicago, IL
Sr. Product Manager
@ MixMode | Remote, US
Corporate Intern - Information Security (Year Round)
@ Associated Bank | US WI Remote
Senior Offensive Security Engineer
@ CoStar Group | US-DC Washington, DC