LSE Leading Security Experts GmbH recommend the application of the hotfix described below in oder to ensure secure operation with LinOTP. It is only necessary to carry out these steps on those installations which do not use automatic update mechanisms (see below under "LSE LinOTP Smart Virtual Appliance"). Users of automatic update mechansims are not affected, as LinOTP will already have been updated.
The hotfix closes a critical issue and prevents potential misuse.
This issue can potentially allow an unauthorised user to submit input containing unwanted characters, that is written to LinOTP's logs and database. At a later date under certian conditions, it is possible that these could be executed under admin context. It is possible that malicious code could be exected as a result. This is due to unescaped output being passed to a widget used by LinOTP.
A security advisory has been released for our product LinOTP containing further details. We would especially like to thank Tomas Rzepka for his valued input and assistance.
As far as we are aware, there have not been any cases of this issue being exploited.
We have provided the hotfix to our customer in various formats and versions. The fixed packages do not contain any changes apart from the hotfix itself. We recommend applying this update as soon as possible.
Please use the instructions provided below to install the hotfix.
In future versions of LinOTP (2.8 and above), we will make changes to reduce the potential risk of similar issues through use of the API.
Hotfix installation
The following updated LinOTP versions are available:
- 2.6.1.1 --> 2.6.1.2
- 2.7.0.2 --> 2.7.0.3
- 2.7.1.2 --> 2.7.1.3
- 2.7.2.1 --> 2.7.2.2
Systems prior to LinOTP 2.6 or which do not use packages should refer to the installation instructions. In this case the fix should be applied by manually copying a fixed version of the file in question.
LSE LinOTP Smart Virtual Appliance
Customers who use the LinOTP SVA with automatic updates enabled will automatically obtain the new package when updates are applied according to their system configuration.
It is possible to start the update process from the command line by executing the command "appliance-update.sh".
Please note: appliance-update.sh will download and apply all pending operating system updates. If your system has not been updated for some time, this may result in a lengthy download and installation process.