Executive Summary

This vulnerability affects Vikunja, an open-source self-hosted task management platform, in versions prior to 2.3.0. It involves a bypass of the Time-based One-Time Password (TOTP) two-factor authentication (2FA) when users log in via the OpenID Connect (OIDC) login path using the EmailFallback feature.

Specifically, the OIDC callback handler issues a full JWT token immediately after user lookup without verifying if the user has TOTP 2FA enabled. This means that if a local user has TOTP enabled, but logs in through the OIDC EmailFallback mechanism, the second factor is completely skipped and the user is authenticated without a TOTP challenge.

An attacker who can authenticate to the OIDC provider with a matching email address can gain full access to the account without needing to provide the second factor, undermining the security guarantees of TOTP enrollment.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass two-factor authentication (TOTP 2FA) via the OIDC login path when EmailFallback is enabled, which compromises the security of user accounts by undermining authentication protections.

Such a security weakness can lead to unauthorized access to sensitive user data, potentially violating requirements for strong authentication and data protection found in common standards and regulations like GDPR and HIPAA.

By failing to enforce the second factor of authentication, the vulnerability increases the risk of data breaches and unauthorized data access, which may result in non-compliance with these regulations' mandates for protecting personal and health information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious security impacts by allowing attackers to bypass two-factor authentication protections for accounts that have TOTP enabled.

• Attackers who can authenticate to the OIDC provider with a matching email address can gain full access to the victim's account without providing the second factor.
• This bypass undermines the confidentiality and integrity of user accounts by allowing unauthorized access.
• It can lead to unauthorized access to sensitive task management data stored in Vikunja.
• The vulnerability has a high severity rating with a CVSS v3.1 base score of 7.4, indicating a significant risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the OIDC login flow with EmailFallback enabled for users who have TOTP two-factor authentication enabled. Specifically, you can verify if the OIDC callback handler issues a JWT token without requiring a TOTP challenge.

A practical approach is to attempt an OIDC login for a user with TOTP enabled and observe if the system issues a JWT token without prompting for TOTP verification.

Commands or steps to detect this might include:

• Use curl or a similar HTTP client to perform an OIDC login request for a user with TOTP enabled and check the HTTP response code and returned tokens.
• Compare the behavior of local login (which should require TOTP and return HTTP 412 with code 1017 if TOTP is missing) versus the OIDC login flow (which may return HTTP 200 and issue a JWT token without TOTP).
• Monitor logs for JWT token issuance events following OIDC logins and verify if TOTP verification steps are logged or skipped.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, consider disabling the OIDC EmailFallback feature to prevent bypassing TOTP enforcement.

Additionally, restrict or monitor access to the OIDC login path and ensure that users with TOTP enabled cannot authenticate via OIDC without proper second-factor verification.

The recommended fix involves adding TOTP verification in the OIDC callback handler before issuing JWT tokens, as shown in the suggested code snippet.

Useful 0 Not Useful 0