Sign in / up

back to article VMware 2FA flaw can divulge that vital second credential to malicious actors

VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product. CVE-2021-22057 is the rascal behind this issue and is rated 6.6/10. VMware Verify is part of the wider …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Zenubi

    Bad Actors

    “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”

    Whilst disturbing on a number of levels I am not sure the likes of Jenifer Aniston or Jim Carey are much of a threat.

    7 0 Reply
    1. Clausewitz 4.0
      Reply Icon
      Devil

      Re: Bad Actors

      If an skilled hacker can breach DHS for real, working for the gov/military, why would such a person participate in a "Hack DHS" program?

      0 0 Reply
      1. stiine Silver badge
        Reply Icon

        Re: Bad Actors

        Why would someone who could hack DHS do it at DHS?

        0 0 Reply
        1. Clausewitz 4.0
          Reply Icon
          Devil

          Re: Bad Actors

          Sounds more like they are trying to recruit foreign assets to PREVENT that from happening in the near future.

          I know some folks who would do it with an smile in their faces.

          0 0 Reply
    2. Bitsminer Silver badge
      Reply Icon

      Re: Bad Actors

      You forgot Nick "Cageware" Cage, Bill "Shatbot" Shatner, and APT 699, aka Steven Seagal.

      1 0 Reply
  2. Version 1.0 Silver badge

    Effective and ineffective

    We keep being told that two-factor authentication is a required "upgrade" but while it makes life slightly harder for malicious attackers it does make the parties we work with far too confident that an attacker is the real person when they complete the authentication. Effectively two-factor authentication is a feature that has a few advantages but does not guarantee anything. So it often makes the attacks far more expensive for the two-factor authentication users.

    2 0 Reply
    1. hayzoos
      Reply Icon

      Re: Effective and ineffective

      2FA is a broad category. As such, many claims can be made of merits and demerits. Using SMS for 2FA is only slightly better than just password authentication. Using a U2F hardware token is leaps and bounds better. Implementation of any 2FA is critical to it's success or failure as well.

      False sense of security is always an issue when security things are overhyped.

      0 0 Reply
      1. W.S.Gosset
        Reply Icon

        Re: Effective and ineffective

        > Using SMS for 2FA is only slightly better than just password authentication

        Substantially worse than, not slightly better. It creates a new and unprotectable attack surface: SIM swap.

        1 0 Reply
        1. W.S.Gosset
          Reply Icon

          Re: Effective and ineffective

          Timing... An example of 2FA by SMS appeared this morning on my new-tab page's random news blurt:

          Hacker steals Sydney man's life savings after simjacking

          0 0 Reply
          1. hayzoos
            Reply Icon

            Re: Effective and ineffective

            SIM swapping is not the only attack against SMS. You also have number hijacking and SS7 attacks.

            If only password authentication was being used, then no SIM swap would have been needed. But if an implementation of password reset by SMS is in effect, then it no longer is a second factor. Single factor authentication by SMS is worse than password authentication. This is a perfect implementation flaw example.

            In the story you linked, it does not have enough detail of the various services' I&A schemes. I cannot determine if the SMS was a true 2FA or used as a password reset mechanism.

            In the US NIST had depricated SMS as 2FA over a decade ago. But for some odd reason they added it back quietly in their recommendations for 2FA.

            I stand by my statement. As a true properly implemented 2FA, SMS is only slightly better than single factor password.

            I resist SMS 2FA as much as possible. I have a hardware token, but few service providers support 2FA or only SMS 2FA, or some do support TOTP, only about half a dozen I use support hardware token 2FA out of nearly a thousand accounts I have.

            1 0 Reply
  3. Anonymous Coward
    Devil

    VMware

    First Log4j. Then UEM. Now 2FA. And it's not even Christmas yet.

    Perhaps they should rebrand as VMalware.

    2 0 Reply
  4. Lorribot

    "some of whom were American citizens"

    That's a shame,

    "Upon installation the code exfiltrates the victim's contact database to an outside server and installs software that automatically signs users to premium services."

    That would be google then?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like