Miggo Logo
Miggo Vulnerability Database
CVE-2019-12887

CVE-2019-12887:
LinOTP replay vulnerability with auto resynchronization enabled for TOTP token

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-12887
GHSA ID
GHSA-rqg8-xjp2-pg9w
EPSS Score
0.5685%
CWE
CWE-294
Published
5/24/2022
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
LinOTPpip>= 0, < 2.11.12.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the autosync function in totptoken.py handling OTP validation during resynchronization. The commit diff shows a critical addition where a check was implemented to reject OTPs with counters lower than the stored counter (res < self.getOtpCount()). This indicates the original implementation allowed OTP reuse by not validating counter chronology during auto-resync. The added test cases in test_totp.py explicitly verify this fix by testing replay resistance, confirming the autosync function was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

LinOTP is pron* to * r*pl*y *tt**k wit* **tiv*t** *utom*ti* r*syn**roniz*tion. T*is vuln*r**ility m*y *llow *n *tt**k*r to su***ss*ully lo* in wit* OTP v*lu*s r**or*** *t * pr*vious point in tim*. T*is *tt**k is only possi*l* i* *utom*ti* r*syn**ron

Reasoning

T** vuln*r**ility st*ms *rom t** `*utosyn*` *un*tion in `totptok*n.py` **n*lin* OTP v*li**tion *urin* r*syn**roniz*tion. T** *ommit *i** s*ows * *riti**l ***ition w**r* * ****k w*s impl*m*nt** to r*j**t OTPs wit* *ount*rs low*r t**n t** stor** *ount*