Operational Defect Database
BugZero found this defect 311 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000gDS0SAM
Mobile VPN with SSL incorrectly sends an OTP prompt as a password when it authenticates users with AuthPoint
Last update date:
7/13/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.7.x
Fixed releases:
All
Description:
Issue
In Fireware v12.7 and higher, the Mobile VPN with SSL client (Windows and MacOS) might send the one-time password (OTP) prompt of a user as a password when it authenticates the user to a Firebox configured to use the AuthPoint authentication server. Because the OTP prompt is not the password of the user, this can cause authentication to fail.This issue occurs when a user re-authenticates after a disconnect and uses an AuthPoint policy that supports both Password + Push and Password + OTP authentication types. The Mobile VPN with SSL client mistakenly views the new connection as a continuation of the previous session, and views the OTP prompt as the password of the user.
Workaround/Solution
If the Mobile VPN with SSL client fails to authenticate, close and reopen it. This forces the Mobile VPN with SSL client to view the next authentication request as a new authentication.If this issue affects multiple users, you can limit the AuthPoint authentication policy to only Password + Push or Password + OTP. If you have users who must use different multi-factor authentication (MFA) types to support hardware tokens, you can create two AuthPoint authentication policies that are based on user and group memberships.
