OpenBao TOTP Secrets Engine Code Reuse Vulnerability

A vulnerability in OpenBao's TOTP secrets engine, present in versions 0.1.0 prior to 2.3.1, allows valid TOTP codes to be accepted multiple times instead of just once. This issue arises from unanticipated normalization in the TOTP library used by OpenBao. TOTP code verification is a privileged action, and only trusted systems should validate these codes.

Impact

This vulnerability could lead to unauthorized reuse of TOTP codes, potentially allowing users to bypass time-based one-time password (TOTP) verification requirements.

Reproduction

To reproduce this vulnerability, first generate a TOTP code using a key managed by OpenBao's TOTP secrets engine. Submit the code to the validation endpoint without normalizing it, such as by appending a space. The endpoint will accept the code, even though it has already been used. This can be repeated by adding whitespace, taking advantage of the code reuse flaw.

Remediation

Users should upgrade to OpenBao version 2.3.2, where this vulnerability is fixed. After upgrading, ensure that TOTP codes are normalized to remove any whitespace before submission. TOTP code verification should only be performed by trusted systems.