SONICWALL TOTP MFA bypass due to misconfiguration
Client of an organization called us asking how to resolve an
issue that was suspected a 0 day vulnerability trying to figure out how someone
bypassed MFA TOTP tokens, found out that they had 2 user’s groups, 1 calling
LDAP the other are directly on the firewall. So when the user changed the name
from the exact lower cases to anything like smith to sMiTh the firewall treated
as 2 users with the 2nd bypassing the TOTP 2FA that would have been for
that user.
All this was due to 2 distinct VPN groups assigned to a VPN
interface at the same time one calling local accounts with TOTP enabled and the
2nd calling LDAP group vpnusers on the DC with no MFA TOTP option. Window
server DC ignores Caps so it treats any name as lower cases, but not the
firewall.
So these guys did everything right and still someone bypassed
a security control measures due a misconfiguration that is not so obvious.
