CVE-2024-45394 HIGH

CVE-2024-45394: Secret encryption vulnerable to brute-force attacks

Vendor Authenticator-Extension
Product Authenticator
Weakness CWE-261
Published September 3, 2024
Last update October 9, 2024

CVSS base score

8.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

Key dates

02Disclosure timeline

September 3, 2024 CVE published
October 9, 2024 Record updated