OpenBao LDAP MFA Enforcement Bypass Vulnerability

A vulnerability exists in OpenBao's LDAP authentication method, allowing for a bypass of multi-factor authentication (MFA) requirements. This issue is present in OpenBao versions prior to 2.3.2. The vulnerability arises when the 'username_as_alias=true' parameter is used, as it allows an attacker to submit usernames with leading or trailing spaces. These spaces are not normalized, leading to inconsistencies in MFA enforcement. Exploitation can occur by taking advantage of this aliasing method to skip MFA requirements that are normally tied to specific entity aliases.

Impact

Bypassing alias-specific MFA requirements can lead to unauthorized access, as users may be able to authenticate without completing necessary MFA steps.

Reproduction

To reproduce this vulnerability, configure the LDAP authentication method to use 'username_as_alias=true'. Then, log in with a username that has leading or trailing spaces. This will bypass the MFA requirements associated with the alias.

Remediation

Users should update to OpenBao version 2.3.2 or later. If an immediate update is not possible, remove the 'username_as_alias=true' parameter from the LDAP authentication configuration and update any affected entity aliases.