Zitadel Brute-Force Vulnerability on OTP, TOTP, and Password Authentication

A vulnerability in Zitadel's identity infrastructure software prior to versions 4.6.0, 3.4.3, and 2.71.18 allows attackers to conduct online brute-force attacks on One-Time Passwords (OTP), Time-Based One-Time Passwords (TOTP), and passwords. Although Zitadel provides a lockout mechanism to prevent such attacks, this feature is not enabled by default and can lead to a denial-of-service for the affected user if activated. Furthermore, the recent resource-based APIs do not fully implement the available mitigation strategies. This vulnerability has been addressed in Zitadel versions 4.6.0, 3.4.3, and 2.71.18.

Impact

Exploitation of this vulnerability allows for online brute-force attacks on OTP, TOTP, and password authentication, potentially leading to unauthorized access by impersonating the targeted user.

Reproduction

The vulnerability can be reproduced by attempting to log in with incorrect OTP, TOTP, or password multiple times. Without the lockout policy enabled, this can be done repeatedly, effectively brute-forcing the authentication factors. The issue can also be tested by changing a user's password through the 'Change Password' command, which requires the old password for verification. If the old password is incorrect, the command will fail, allowing for a brute-force attack on the password verification process.

Remediation

Users are advised to update Zitadel to version 4.6.0, 3.4.3, or 2.71.18. For those using an older version, the optional lockout policy can be enabled as a temporary measure, although this may disrupt users by locking them out after a certain number of failed attempts.