Executive Summary

This vulnerability in SOGo versions before 5.12.5 involves improper handling of Time-based One-Time Passwords (TOTP). Specifically, when a user disables and then re-enables TOTP, the system does not renew the OTP key as it should. Additionally, the TOTP key length was only 12 digits, which is shorter than the recommended 20 digits, weakening security.

The issue allows old TOTP keys to persist after disabling and re-enabling, potentially causing authentication problems or security risks. The fix includes renewing the TOTP key properly upon re-enabling and increasing the key length to 20 characters to meet security standards. Backward compatibility is maintained by supporting legacy keys during the transition.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by allowing the reuse of old TOTP keys after disabling and re-enabling two-factor authentication, which may lead to authentication bypass or confusion during login.

Because the TOTP key length was shorter than recommended, the cryptographic strength of the OTP was weaker, potentially making it easier for attackers to guess or compromise the OTP.

Overall, this could reduce the effectiveness of two-factor authentication, increasing the risk of unauthorized access to user accounts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability relates to the handling of Time-based One-Time Passwords (TOTP) in SOGo before version 5.12.5, specifically the failure to renew the OTP key after disabling and re-enabling it, and the use of a too short TOTP key length (12 digits instead of 20).'}, {'type': 'paragraph', 'content': 'Detection would involve verifying if your SOGo installation is running a version prior to 5.12.5 and checking if the TOTP keys in use are only 12 characters long instead of the recommended 20 characters.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the TOTP key renewal and length, you can detect it by inspecting user TOTP keys stored in the system settings or database, looking for keys of length 12 characters.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the resources, but you can check the SOGo version with commands like:'}, {'type': 'list_item', 'content': 'sogo --version'}, {'type': 'list_item', 'content': 'dpkg -l | grep sogo (on Debian/Ubuntu systems)'}, {'type': 'list_item', 'content': 'rpm -qa | grep sogo (on RedHat/CentOS systems)'}, {'type': 'paragraph', 'content': "To check the TOTP key length, you would need to query the user settings where the TOTP keys are stored, which depends on your SOGo backend (e.g., database or LDAP). For example, querying the database for the 'totpKey' field and checking its length."}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade SOGo to version 5.12.5 or later, where this vulnerability has been fixed.

This update ensures that TOTP keys are properly renewed when a user disables and re-enables TOTP, and that the TOTP key length is increased from 12 to the recommended 20 characters, improving security.

Additionally, after upgrading, verify that user TOTP keys are renewed correctly and consider prompting users to reconfigure their TOTP if necessary.

No other immediate configuration changes or workarounds are described in the resources.

Useful 0 Not Useful 0