[CA6250] Bypassing of two-factor authentication fixed

Summary

ESET Customer Advisory 2016-0016
October 18, 2016

Severity: Critical

Summary

ESET discovered an issue with ESET Secure Authentication which allowed bypassing two-factor authentication by following a certain scenario. ESET prepared a fixed build and released it for the affected users to download.

Customer Advisory

Details

On October 14, 2016, ESET internally identified a bug and closely afterwards we were notified independently by a tester. The bug allowed bypassing the second step (the one-time password) of two-factor authentication in a Remote Desktop Protocol connection when using ESET Secure Authentication 2.5.22.0. ESET promptly diagnosed the behavior and prepared a fixed build of ESET Secure Authentication 2.5.23.0, which was published on October 18, 2016.

Solution

A fixed build of ESET Secure Authentication 2.5.23.0 is available for download from ESET’s website. We recommend updating to this version.

Affected products and versions

  • ESET Secure Authentication RDP component 2.5.22.0

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Support.

Version log

Version 1.0 (October 18, 2016): Initial version of this document