We have a Pulse that was running a version previous than 9.0R3.4, so it was affetected by several critical vulnerabilities like CVE-2019-11539 or CVE-2019-11510
We upgraded to 9.0R3.4 as soon as possible, however we are aware that during some days the attackers were able to access the devices, dump usernames and password (the primary authentication was through Active Directory), and they even hijacked live sessions.
But now, the system is patched, and we still see something shocking. At least for one user, the attackers are able to login with his AD credentials (that's normal, as they got them during the attack by using the vulnerabilities above), but also are able to login on the 2FA authentication, the Google Auth OTP... I can't understand why.
Is it possible that during that attack, the attackers were able to "dump" something from the Pulse, that allows them to generate 2FA codes whenever they want? how are those codes generated? e.g., if I have 3 Pulses connected to the same domain, the QR code generated will be the same once i login for first time in the 3 URLs? If i have the same username, like name.surname and i create an AD user and a pulse local user, the QR code will be the same?
Someone who can shed some light on this and help me to find out how can they authenticate on 2FA would be highly appreciated....
Thanks in advance
Please log this asap via our support team, who will be able to assess for you:
I have just open a case, but i don't hope that helps actually, my experience with Pulse support is really bad, it's even hard to explain the issue to the technicians, even a simple one. That's why I trust more on the Community.
The attackers have managed not only to capture some AD users credentials from the Pulses, but also to generate 2FA codes and use them... and we need to find out why. Not only because of us, but many hundreds of Pulse devices around the world may be facing exactly the same problem.
Google Autenticator is just an implementation of the RFC6238, which is a extension of RFC4226.
You can see an overview in Wikipedia: https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm
Both OTPs, are based in a secret key, which is shared between both server and user. That secret it is in QRCode generated. The server must have those secrets somewhere, therefore, if obtained, someone with those secrets can generated the codes expeted by the server.
You should revoke all tokens, besides force users to change password.
I hope this short explanation helps you.
If i have understood it properly, the attacker might got the secret key for 2FA on Pulse´s side, so he can generate as many 2FA´s as he wants. Being so, what´s the point in revoke the tokens if they may generate them again if they have the "master" key?