OpenBao Login Multi-Factor Authentication Rate Limiting Bypass Vulnerability

A vulnerability exists in OpenBao's Login Multi-Factor Authentication (MFA) system, specifically in versions prior to 2.3.2. The issue arises from the Time-based One Time Password (TOTP) implementation, where the normalization process allowed codes to be accepted with added whitespace. This flaw could bypass the internal rate limiting of the MFA method, enabling the reuse of TOTP codes. The vulnerability has been addressed in version 2.3.2.

Impact

Exploitation of this vulnerability could lead to a bypass of MFA rate limits, allowing for the reuse of TOTP codes during the authentication process.

Reproduction

To reproduce this vulnerability, initiate a login process that requires MFA using TOTP. When prompted for the TOTP code, inject whitespace into the passcode. The system will accept the code with the added whitespace, bypassing the rate limit and allowing the same code to be used multiple times within its validity period.

Remediation

Users can upgrade to OpenBao version 2.3.2, which addresses this vulnerability. For those unable to upgrade immediately, implementing rate-limiting quotas can help mitigate the risk by restricting the number of MFA validation attempts.