Date

LinOTP hotfix and security advisory

KeyIdentity GmbH announces a critical vulnerability in LinOTP. CVE-2019-12887 was published for this vulnerability.

KeyIdentity GmbH recommends to apply the hotfix described below for a secure operation of LinOTP if the conditions apply.

The vulnerability is relevant if you are using TOTP (time based OATH HMAC) token and enabled the auto resynchronization feature. Automatic resynchronization is inactive by default after installation.

With activated resynchronization it is possible to successfully log in using an OTP value recorded earlier.

The hotfix prevents this attack vector.

If you cannot update or patch immediately and have automatic resynchronization activated with TOTP token, you should deactivate the automatic resynchronization until you can update. We provide a configuration guide.

We explicitly thank Sébastien Foutrel for his diagnostics and valuable report for this vulnerability.

Installation

We provide packages in different formats and versions. These packages do not contain changes beyond the hotfix for this issue.

KeyIdentity provides an installation guide with download links for all available packages.

Available Packages

2.10.5.2 updated to 2.10.5.3 (Debian Jessie, Debian Stretch, RPM)

2.9.3.4 updated to 2.9.3.5 (Debian Jessie)

2.8.1.7 updated to 2.8.1.8 (Debian Jessie)

All versions of LinOTP

If you are using an older version of LinOTP (<2.8) or cannot immediately install the packages provided, we also provide a patch file with a patch guide

KeyIdentity LinOTP Smart Virtual Appliance

Customers using the LinOTP SVA will receive the update when automatic updates are activated. We recommend until your scheduled automatic update to deactivate the automatic resynchronization if enabled, used with TOTP token and you can not apply the immediate updates described above. We offer a configuration guide.

If you have questions about applying the hotfix, we are happy to assist you:

E-Mail: support@keyidentity.com

Telefon: +49 6151 86086 115