CVE-2013-7322

Name of the Vulnerable Software and Affected Versions OATH Toolkit versions prior to 2.4.1

Description The issue arises from the improper handling of lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath by the usersfile.c in liboath. This leads to the wrong line being updated when invalidating an OTP, allowing context-dependent attackers to conduct replay attacks. For instance, this can be demonstrated by a commented out line when using libpam-oath.

Recommendations For OATH Toolkit versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue.