Overview

On November 25, 2014, Collective Software identified an issue with some LDAP clients where a valid 2-factor authentication could impersonate a different user account on the LDAP client.

To eliminate any potential for users authenticating as other users, please check whether your configuration is affected, and deploy the new build.

Affected AuthLite Versions

  • AuthLite version 1.x: not affected. You don't need to do anything, apart from make sure you have already updated for the older Advisory #1.
  • AuthLite version 2.0.1-2.0.56: potentially affected, see below for configuration details. 

Affected Configurations

If your configuration matches the following points, then it may be possible for a valid 2-factor authenticated user to impersonate other users, and AuthLite should be updated.

  1. You have one or more third-party (non-Microsoft) services or appliances that act as LDAP clients in order to authenticate Active Directory users.
  2. You require 2-factor AuthLite authentication for at least some users on those LDAP-enabled systems.
  3. The LDAP-enabled systems use "simple bind" instead of "Negotiate".  You may not be able to easily determine whether this is the case, so it's best to just upgrade if #1 and #2 are true.

What Should I Do?

You can eliminate this issue by performing the following action:

Install an updated AuthLite version

  • Upgrade your DCs to v2.0.57 or later from AuthLite.com
  • You must reboot the DCs for the modification to become active.  Prior to rebooting, the systems will still be running the old version of the software in memory.

Common Questions and Answers

What is my exposure? Could this issue allow outside users in to my systems?

No, this issue cannot grant any access to external malicious users.  Only a valid AuthLite user in your domain who logs in with their correct OTP token and correct password could potentially impersonate a different user account than their real one.  Whether this incorrect impersonation occurs also depends on the implementation of the LDAP client software in the third-party service/appliance.

Should I upgrade from v1.x to version 2?

No, you do not need to do this.  Version 2 is a much more complex product and a proper upgrade requires a substantial amount of planning, configuration, and testing.  We offer professional services just to help with this.  In short, it's not something to be undertaken lightly. 

Where do I have to install the update??

Install the updated software on all Domain Controllers that currently have AuthLite installed.

I need help with this, what should I do?

If you require further details, or assistance with installing the update, please open a Support Request from our Support page and reference Upgrade Advisory #3