Termix Temporary JWT Vulnerability Bypasses TOTP Authentication

A vulnerability in Termix, a web-based server management platform, allows for the bypass of two-factor authentication (2FA) for TOTP-enabled accounts. Prior to version 2.1.0, the login endpoint issued a temporary JWT (temp_token) that included a pendingTOTP state, intended only for second-factor authentication. However, this token was accepted on regular authenticated endpoints, effectively reducing 2FA to single-factor authentication for affected accounts. Exploitation of this vulnerability could lead to unauthorized access to accounts and their associated API privileges.

Impact

Exploitation of this vulnerability allows an attacker to bypass TOTP authentication entirely, converting it to a single-factor password authentication. This could lead to unauthorized access to the user's account and API, despite 2FA being enabled.

Reproduction

To reproduce this vulnerability, log into a TOTP-enabled account to receive the temp_token. Then, use this token to access the '/users/totp/backup-codes' endpoint, which is normally protected, to obtain new backup codes. These codes can be used to complete the login process without needing the TOTP from an authenticator app.

Remediation

Users can update to Termix version 2.1.0, where this vulnerability has been patched.