YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

Project: YubiKey
Version: 7.x-2.x-dev
Date:  2020-June-10
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.

The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP only. This allows an attacker to attempt many YubiKey OTP codes. However, a brute force attack on this code is not practical in most situations given the length and randomness of the OTP codes.
Solution:

Install the latest version:

If you use the Yubikey module for Drupal 7.x, upgrade to Yubikey 7.x-2.3

Also see the YubiKey project page.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.