CVE-2024-8796

Summary

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

Affected Software

VendorProductVersion RangeStatus
devise-two-factordevise-two-factor4.0.0 < 6.0.0affected
devise-two-factordevise-two-factor1.0.0affected

Weaknesses

  • CWE-331: CWE-331 Insufficient Entropy

Workarounds

If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References