Odd 2FA Security Issue With The USG40

Options
JCE
JCE Posts: 16
First Anniversary Friend Collector First Comment

Hi,

I have a USG40 with latest firmware.

I have just set it up as a VPN server using IKEv2 using the below guide

https://support.zyxel.eu/hc/en-us/articles/360001227780-Next-Gen-USG-IKEv2-VPN-Client-to-Site-

I am using the built in VPN client in Windows 10 Pro

All is working fine but I wanted to add 2fa to the VPN logins.

I have done so and again all works fine the vpn client connects but you cant ping anything behind the USG40 until you have clicked the Authorization email sent from the USG40

Again all works fine.

But I noticed (and i thought at first i was seeing things and had clicked the Authorization email by accident) sometimes if left without clicking the 2FA email it would start pinging the lan behing the USG 40.

This is very random but I would say about 1 in 5 connections if left waiting eventually give access to the Lan without acknowledging the 2FA email.

Is this something I have done wrong or is it a flaw ?

Any thoughts and many thanks

All Replies

  • JCE
    JCE Posts: 16
    First Anniversary Friend Collector First Comment
    edited March 2023
    Options

    Not sure why link did not show but its here

    https://support.zyxel.eu/hc/en-us/articles/360001227780-Next-Gen-USG-IKEv2-VPN-Client-to-Site-

  • StefanZ
    StefanZ Posts: 192  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I would guess, that maybe the former session/s get cached and since it's the same client/machine the credentials are still valid? Or the 2FA has a general grace period per user/machine?

    Are the links you receive maybe even the same?

    I would try logging in, clicking the 2FA, logging out immediately, logging in, compare the links.

    Next I would try different clients and see if the 2FA can be skipped with those too.

    If it just applies to the same client, the real world implications would exist, but the chances of exploiting this are very slim.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @JCE,

    Can you test again and check if the IP shows up in twofa-ipsec-ip? It should be listed in twofa-ipsec-ip before clicking the authorization email.
    Once you click the authorization email, it will be delisted from twofa-ipsec-ip.

    Here are the steps:

    1. Connect the VPN client.
    2. Type the CLI command "debug system ipset" to check if the VPN client's IP address is listed in twofa-ipsec-ip."

    e.g.
    Name: twofa-ipsec-ip
    Type: hash:ip
    Revision: 3
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 16496
    References: 2
    Members:
    X.X.X.X <= You should be able to see the IP address in the member list before clicking the authorization email

  • JCE
    JCE Posts: 16
    First Anniversary Friend Collector First Comment
    Options

    Thank you will set the system up again and try the above suggestions. Many thanks

Security Highlight