Advisory: 2020-04 An attacker can bypass two-factor authentication

Issue:

An attacker who has obtained a user name and password can modify the user's phone number to bypass two-factor authentication (2fa). An attacker who has also obtained the user's original phone number can restore it to prevent the user from realizing their account has been accessed illegally.

Solution:

Beginning in FileCloud 20.1, by default, FileCloud only allows a user to set their phone number once. Once the phone number has been added, the user must contact their admin to change it. This prevents an attacker from obtaining a user name and password and then modifying the user's phone number to bypass 2fa. In addition, it prevents an attacker who has obtained the original phone number from restoring it to prevent the user from realizing there has been an attack.

To enable a user to only set their phone number once, the following setting appears by default in the config file:

define("TONIDOCLOUD_ENABLE_USER_SET2FASMS", 1);

In addition, to prevent an attacker from gaining access with another user's token, if a token is invalid, the system clears it and requires the user to sign in again.

If you are using a FileCloud on premise installation, please update to the latest version.

If you are using FileCloud online, your site has already been updated to the latest version.