all InfoSec news
Control iD iDSecure passwordCustom Authentication Bypass
Nov. 27, 2023, 4:16 p.m. | Jimi Sebree
Tenable Research Advisories www.tenable.com
An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.
iDS-Core.dll!ControliD.iDSecure.Tools.ServerJWT.Login() allows login via "passwordCustom":
public LoginResult Login(LoginRequest client)
{
[...]
if (client.passwordCustom == null)
{
[...]
}
else
{
if (!(client.passwordCustom == Operators.DesbloqueioGerenciador(ServerJWT.Serial, client.passwordRandom)))
{
throw new DALException(Localization.Translate("InvalidPassword"));
}
operators = …
act attacker authentication authentication bypass bypass bypass vulnerability compute control credentials dll ids idsecure login public tools unauthenticated valid vulnerability
More from www.tenable.com / Tenable Research Advisories
Approach.App Multiple Vulnerabilities
1 week, 6 days ago |
www.tenable.com
Path Traversal Affecting Multiple CData Products
3 weeks, 6 days ago |
www.tenable.com
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
1 month, 2 weeks ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
Social Engineer For Reverse Engineering Exploit Study
@ Independent study | Remote
Data Privacy Manager m/f/d)
@ Coloplast | Hamburg, HH, DE
Cybersecurity Sr. Manager
@ Eastman | Kingsport, TN, US, 37660
KDN IAM Associate Consultant
@ KPMG India | Hyderabad, Telangana, India
Learning Experience Designer in Cybersecurity (f/m/div.) (Salary: ~113.000 EUR p.a.*)
@ Bosch Group | Stuttgart, Germany
Senior Security Engineer - SIEM
@ Samsara | Remote - US