How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows non-admin users with certain privileges to remove two-factor authentication (2FA) from other users, including administrators, effectively reducing the security of those accounts to password-only authentication.

Such unauthorized modification of security settings can increase the risk of unauthorized access and data breaches, which may negatively impact compliance with common security standards and regulations like GDPR and HIPAA that require strong access controls and protection of sensitive data.

By weakening 2FA protections, the vulnerability could lead to violations of these regulations' requirements for safeguarding user data and ensuring integrity and confidentiality.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability is a logic error in Admidio's two-factor authentication (2FA) reset mechanism that inverts the authorization check.

Because of this error, non-admin users cannot remove their own 2FA configuration but can remove the 2FA settings of other users, including administrators.

Specifically, a group leader with profile edit rights on an admin account can strip that administrator's 2FA, effectively reducing their security to password-only authentication.

The issue is caused by an inverted condition in the code where the !== operator should have been ===.

This vulnerability affects Admidio versions 5.0.8 and earlier and has been fixed in version 5.0.9.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have a significant security impact by allowing unauthorized users to disable two-factor authentication (2FA) for other users, including administrators.

By stripping 2FA from admin accounts, attackers reduce the security of those accounts to password-only authentication, increasing the risk of account compromise.

Exploitation requires only low privileges and no user interaction, making it easier for attackers with limited access to escalate their control.

The integrity of the system is highly impacted because unauthorized modification of security settings is possible.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to a logic error in Admidio's two-factor authentication reset mechanism affecting versions 5.0.8 and earlier. Detection involves verifying the version of Admidio installed on your system.

You can check the installed Admidio version by running commands to inspect the application version, such as:

• Checking the version file or metadata within the Admidio installation directory.
• Using command line tools to search for version information, for example: `grep 'version' path/to/admidio/config` or `cat path/to/admidio/version.txt` if available.

Since the vulnerability involves unauthorized removal of 2FA by non-admin users, monitoring logs for unusual 2FA reset activities or changes initiated by non-admin accounts could also help detect exploitation attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Admidio to version 5.0.9 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict profile edit rights to trusted users only, especially limiting group leaders' ability to edit admin profiles.

Additionally, monitor user activities related to two-factor authentication resets to detect and respond to any unauthorized changes.

Useful 0 Not Useful 0