CVE-2024-48942

Vulnerability

The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through version 3.1.4.5 contains a default configuration weakness. In the plugin's default settings, the Time Window Size is set to 30, meaning the last 30 and the next 30 time-based one-time password (TOTP) tokens are considered valid. With the default time step of 30 seconds, this extends the validity window of any one token to 15 minutes. Additionally, brute-force detection is disabled by default. The vulnerability is exposed via the endpoint plugins/servlet/twofactor/public/pinvalidation. [1]

Exploitation

An attacker with network access to the affected Atlassian instance can brute-force the 2FA PIN by sending repeated requests to the /plugins/servlet/twofactor/public/pinvalidation endpoint. Because of the large sliding window of 60 valid tokens (30 past, 30 future) and the lack of brute-force throttling, the attacker can efficiently enumerate possible PINs for a known username and password. [1]

Impact

Successful brute-force of the PIN allows the attacker to bypass the second-factor authentication entirely. This results in unauthorized access to the Jira, Confluence, or Bitbucket instance, potentially leading to disclosure of sensitive data, modification of content, or further compromise of the instance. The attacker achieves the access privileges of the victim user. [1]

Mitigation

As of the advisory date (2024-09-16), no fixed version has been released. The vendor (Syracom) has announced that a fix is to be determined. A workaround is to change the default configuration by reducing the Time Window Size to a smaller value (e.g., 1) and enabling brute-force detection in the plugin settings. Until a patch is available, administrators should adjust these settings to limit the effective token validity window and lock out attackers after repeated failed attempts. [1]