This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM, OTP and AD authentication weakness

Hi to all...

I've dicovered a weakeness of the Sophos UTM OTP implementation, when integrated with Active Directory.

When a user connect with it's domain credentials (username/password) for the first time on the user portal page, a local user is created on the sophos, and is generated the QR for the authenticator app. For the subsequent accesses, the user must insert the domain password + OTP (if configured to use OTP on the user portal). If it tries to login with simple user/pass, the login fail. In this way the two way authentication is guaranteed,and all is safe

The problem is that, if as username we use "DOMAIN\username", the sophos allow to access (as it should, the AD authentication will succeed) but it create a NEW local user, with a new OTP.

So, if the user/pass are compromised, the domain can be guessed/compromised, the whole OTP can be bypassed.

Any thought on this?



This thread was automatically locked due to age.
Parents
  • Ciao Enrico,

    Why have the possibility for a user to have both a local username and a remotely-authenticated username?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The user haven't a local username and a remotely authenticated.

    With AD integration, the UTM create itself a local user account with the same name of the user that have passed the AD check. As description there is a text: 

    Remotely authenticated [User data updated from backend automatically]
    Autogenerated

    The problem is that if i login on the user portal with "username" it create automatically one user named "username", with it's own OTP, but if i login with the "domain\username" syntax, the UTM create a second username, with it's separate certificate, and a new OTP.

    For establish the VPN connection there is still the need of the certificate, but i find quite strange this behaviour.

Reply Children
  • I don't think I've heard of this before, Enrico...  It would be interesting to know what Sophos Support says about your discovery.  Please let us know what the "trick" is to avoid this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think that this is a major flaw.

    Imagine this scenario:

    Configuration: AD backend with OTP - plus the certificate for the SSL connection (in theory, the maximum in therms of security)

    The first time that an user log on the user portal, can access with simple AD user/pass. Sophos create the certificate and OTP code. Once configured OTP, i can log on the user portal and download the certificate.

    From now, the user can connect to the network with certificate + user/pass + OTP.

    One day, the user/pass of the user is compromised, someone else try to log on the user portal with the same username/pass, but including the domain (the domain, on most cases, can be easily found with some tries).

    At this time, a new certificate is issued, and a new OTP code is generated. So someone else can access to the user portal and download it's certificate, and create a new OTP code, allowing access to the network.

    How i can inform the tech support about this issue?

  • You can open a ticket at https://support.sophos.com/.  If it's your first LOGIN to the Support system, you will need to create a Sophos ID.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA