Tuesday, August 30, 2022

SONICWALL TOTP MFA bypass due to misconfiguration

 

SONICWALL TOTP MFA bypass due to misconfiguration

Client of an organization called us asking how to resolve an issue that was suspected a 0 day vulnerability trying to figure out how someone bypassed MFA TOTP tokens, found out that they had 2 user’s groups, 1 calling LDAP the other are directly on the firewall. So when the user changed the name from the exact lower cases to anything like smith to sMiTh the firewall treated as 2 users with the 2nd bypassing the TOTP 2FA that would have been for that user.

All this was due to 2 distinct VPN groups assigned to a VPN interface at the same time one calling local accounts with TOTP enabled and the 2nd calling LDAP group vpnusers on the DC with no MFA TOTP option. Window server DC ignores Caps so it treats any name as lower cases, but not the firewall.

So these guys did everything right and still someone bypassed a security control measures due a misconfiguration that is not so obvious.


https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169/