Hi to all...
I've dicovered a weakeness of the Sophos UTM OTP implementation, when integrated with Active Directory.
When a user connect with it's domain credentials (username/password) for the first time on the user portal page, a local user is created on the sophos, and is generated the QR for the authenticator app. For the subsequent accesses, the user must insert the domain password + OTP (if configured to use OTP on the user portal). If it tries to login with simple user/pass, the login fail. In this way the two way authentication is guaranteed,and all is safe
The problem is that, if as username we use "DOMAIN\username", the sophos allow to access (as it should, the AD authentication will succeed) but it create a NEW local user, with a new OTP.
So, if the user/pass are compromised, the domain can be guessed/compromised, the whole OTP can be bypassed.
Any thought on this?
This thread was automatically locked due to age.