This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM, OTP and AD authentication weakness

Hi to all...

I've dicovered a weakeness of the Sophos UTM OTP implementation, when integrated with Active Directory.

When a user connect with it's domain credentials (username/password) for the first time on the user portal page, a local user is created on the sophos, and is generated the QR for the authenticator app. For the subsequent accesses, the user must insert the domain password + OTP (if configured to use OTP on the user portal). If it tries to login with simple user/pass, the login fail. In this way the two way authentication is guaranteed,and all is safe

The problem is that, if as username we use "DOMAIN\username", the sophos allow to access (as it should, the AD authentication will succeed) but it create a NEW local user, with a new OTP.

So, if the user/pass are compromised, the domain can be guessed/compromised, the whole OTP can be bypassed.

Any thought on this?

This thread was automatically locked due to age.

Top Replies

Michieletti Enrico over 2 years ago in reply to BAlfson +1

I think that this is a major flaw. Imagine this scenario: Configuration: AD backend with OTP - plus the certificate for the SSL connection (in theory, the maximum in therms of security) The first…

Parents

0 BAlfson over 2 years ago

Ciao Enrico,

Why have the possibility for a user to have both a local username and a remotely-authenticated username?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Michieletti Enrico over 2 years ago in reply to BAlfson

The user haven't a local username and a remotely authenticated.

With AD integration, the UTM create itself a local user account with the same name of the user that have passed the AD check. As description there is a text:

Remotely authenticated [User data updated from backend automatically]

Autogenerated

The problem is that if i login on the user portal with "username" it create automatically one user named "username", with it's own OTP, but if i login with the "domain\username" syntax, the UTM create a second username, with it's separate certificate, and a new OTP.

For establish the VPN connection there is still the need of the certificate, but i find quite strange this behaviour.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michieletti Enrico over 2 years ago in reply to Michieletti Enrico

Any tought about this?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to Michieletti Enrico

I don't think I've heard of this before, Enrico... It would be interesting to know what Sophos Support says about your discovery. Please let us know what the "trick" is to avoid this.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 2 years ago in reply to Michieletti Enrico

I don't think I've heard of this before, Enrico... It would be interesting to know what Sophos Support says about your discovery. Please let us know what the "trick" is to avoid this.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michieletti Enrico over 2 years ago in reply to BAlfson

I think that this is a major flaw.

Imagine this scenario:

Configuration: AD backend with OTP - plus the certificate for the SSL connection (in theory, the maximum in therms of security)

The first time that an user log on the user portal, can access with simple AD user/pass. Sophos create the certificate and OTP code. Once configured OTP, i can log on the user portal and download the certificate.

From now, the user can connect to the network with certificate + user/pass + OTP.

One day, the user/pass of the user is compromised, someone else try to log on the user portal with the same username/pass, but including the domain (the domain, on most cases, can be easily found with some tries).

At this time, a new certificate is issued, and a new OTP code is generated. So someone else can access to the user portal and download it's certificate, and create a new OTP code, allowing access to the network.

How i can inform the tech support about this issue?
Cancel
Vote Up +1 Vote Down

Cancel
0 BAlfson over 2 years ago in reply to Michieletti Enrico

You can open a ticket at https://support.sophos.com/. If it's your first LOGIN to the Support system, you will need to create a Sophos ID.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel