Odd 2FA Security Issue With The USG40
Freshman Member
Hi,
I have a USG40 with latest firmware.
I have just set it up as a VPN server using IKEv2 using the below guide
https://support.zyxel.eu/hc/en-us/articles/360001227780-Next-Gen-USG-IKEv2-VPN-Client-to-Site-
I am using the built in VPN client in Windows 10 Pro
All is working fine but I wanted to add 2fa to the VPN logins.
I have done so and again all works fine the vpn client connects but you cant ping anything behind the USG40 until you have clicked the Authorization email sent from the USG40
Again all works fine.
But I noticed (and i thought at first i was seeing things and had clicked the Authorization email by accident) sometimes if left without clicking the 2FA email it would start pinging the lan behing the USG 40.
This is very random but I would say about 1 in 5 connections if left waiting eventually give access to the Lan without acknowledging the 2FA email.
Is this something I have done wrong or is it a flaw ?
Any thoughts and many thanks
All Replies
-
Not sure why link did not show but its here
https://support.zyxel.eu/hc/en-us/articles/360001227780-Next-Gen-USG-IKEv2-VPN-Client-to-Site-
0 -
I would guess, that maybe the former session/s get cached and since it's the same client/machine the credentials are still valid? Or the 2FA has a general grace period per user/machine?
Are the links you receive maybe even the same?
I would try logging in, clicking the 2FA, logging out immediately, logging in, compare the links.
Next I would try different clients and see if the 2FA can be skipped with those too.
If it just applies to the same client, the real world implications would exist, but the chances of exploiting this are very slim.
1 -
Hi @JCE,
Can you test again and check if the IP shows up in twofa-ipsec-ip? It should be listed in twofa-ipsec-ip before clicking the authorization email.
Once you click the authorization email, it will be delisted from twofa-ipsec-ip.Here are the steps:
- Connect the VPN client.
- Type the CLI command "debug system ipset" to check if the VPN client's IP address is listed in twofa-ipsec-ip."
e.g.
Name: twofa-ipsec-ip
Type: hash:ip
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16496
References: 2
Members:
X.X.X.X <= You should be able to see the IP address in the member list before clicking the authorization email1 -
Thank you will set the system up again and try the above suggestions. Many thanks
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 150 Nebula Ideas
- 97 Nebula Status and Incidents
- 5.7K Security
- 268 USG FLEX H Series
- 273 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 388 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
