Lack of multi-factor authentication

Description

Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.

Impact

Multi-factor authentication is flawed to the point where it can be bypassed entirely.

Recommendation

Implement a double factor authentication by software or hardware to increase the protection level of the resources authentication.

Threat

Authenticathed attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

• Attack vector: N
• Attack complexity: L
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: H
• Integrity: L
• Availability: L

Temporal

• Exploit code madurity: X
• Remediation level: O
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:X/RL:O/RC:X
• Score:
  • Base: 7.6
  • Temporal: 7.3
• Severity:
  • Base: High
  • Temporal: High

Code Examples

Compliant code

All resources should be set up to allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
  bucket = "some_test_bucket"
  acl    = "private"
  versioning {
    enabled = true
    mfa_delete = true
  }
}

Non compliant code

Some resources do not allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
  bucket = "some_test_bucket"
  acl    = "private"
  versioning {
    enabled = false
    mfa_delete = true
  }
}

Requirements

• 229. Request access credentials
• 231. Implement a biometric verification component
• 264. Request authentication
• 319. Make authentication options equally secure
• 328. Request MFA for critical systems

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.