CVE-2020-26577: 2FA challenge/response is performed in a client-side application [FIXED]


Connection Suite 2.3x is a web application that makes use of Adobe Flash. The web application implements 2FA by using a numeric challenge/response. When logging into the application, the user is presented with a 2FA challenge ("Security code nr:") and has to respond with a 6 digit number. The challenge/response pairs are stored in the Flash application itself, making it easy for an attacker to look up the response. Also, the 2FA requirement can be completely skipped by altering a response from the server. Incorrect Access Control in the Adobe Flash client allows Escalation of Privileges.



Connection Suite version 3.0.0 and later no longer utilises Adobe Flash, and client-side 2FA is removed. Dualog Connection Suite 3.0 was released on December 8, 2020. See Connection Suite 3.0 release notes here.



This vulnerability was found by PenTestPartners (PTP) during a random security testing. 




Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.