Skip to main content

Lack of multi-factor authentication

Description

Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.

Impact

Multi-factor authentication is flawed to the point where it can be bypassed entirely.

Recommendation

Implement a double factor authentication by software or hardware to increase the protection level of the resources authentication.

Threat

Authenticathed attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:X/RL:O/RC:X
  • Score:
    • Base: 7.6
    • Temporal: 7.3
  • Severity:
    • Base: High
    • Temporal: High

Code Examples

Compliant code

All resources should be set up to allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = true
mfa_delete = true
}
}

Non compliant code

Some resources do not allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = false
mfa_delete = true
}
}

Requirements