PT-2014-3336 · Vasco · Vasco Identikey Authentication Server

Luke Sullivan

Published

2014-01-13

Updated

2014-01-14

CVE-2013-7292

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions VASCO IDENTIKEY Authentication Server (IAS) version 3.4.x

Description The issue allows remote authenticated users to bypass Active Directory authentication. This is done by entering only a DIGIPASS one-time password, instead of the required combination of this one-time password and a multiple-time AD password.

Recommendations For version 3.4.x, consider restricting access to the DIGIPASS one-time password feature until a fix is available, to minimize the risk of Active Directory authentication bypass.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2013-7292

Affected Products

Vasco Identikey Authentication Server

PT-2014-3336 · Vasco · Vasco Identikey Authentication Server

CVE-2013-7292

Weakness Enumeration

Related Identifiers

Affected Products

References · 2