CVE-2022-36071 in SFTPGo
Summary
by MITRE • 09/02/2022
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/02/2022
The vulnerability CVE-2022-36071 affects SFTPGo, a configurable secure file transfer server that provides SFTP, FTPS, WebDAV, and HTTP/S protocols with optional two-factor authentication capabilities. This security flaw resides in the WebAdmin and WebClient components where users can configure TOTP (Time-based One Time Passwords) as a secondary authentication factor. The system includes recovery codes functionality to address scenarios where users lose access to their mobile TOTP devices, which is a standard security practice for maintaining account access during device loss or damage situations. The vulnerability stems from a design flaw in the authentication flow where recovery codes could be generated prematurely in the authentication lifecycle, creating a window of opportunity for unauthorized access.
The technical implementation flaw occurs in the order of operations within the two-factor authentication setup process. Specifically, the system allowed recovery code generation to occur before the user actually enabled two-factor authentication, which creates a critical security gap. This design oversight means that an attacker who has obtained a user's password can generate recovery codes and subsequently bypass the two-factor authentication mechanism when the user later enables it. The vulnerability exists because the system does not enforce proper state validation between the password authentication phase and the recovery code generation phase. This issue represents a violation of the principle of least privilege and proper authentication flow control, as it allows unauthorized code generation during an authentication sequence that should be strictly controlled.
The operational impact of this vulnerability is significant as it fundamentally undermines the security model of two-factor authentication within SFTPGo. An attacker with knowledge of a user's password can exploit this weakness to generate recovery codes that will later allow them to bypass the TOTP requirement. This creates a persistent backdoor access mechanism that remains valid even after the user enables two-factor authentication, effectively nullifying the security benefits of the secondary authentication factor. The vulnerability affects all versions between 2.2.0 and 2.3.3, representing a substantial risk to organizations relying on SFTPGo for secure file transfers. The attack vector is particularly concerning because it requires only knowledge of a valid password, making it accessible to threat actors who have already gained initial access through various means such as credential stuffing, password reuse, or other initial compromise techniques.
The fix implemented in version 2.3.4 addresses this vulnerability by enforcing proper authentication state management where recovery codes can only be generated after two-factor authentication is enabled and are automatically deleted when it is disabled. This remediation aligns with security best practices and follows the principle of defense in depth by ensuring that recovery mechanisms are only available when the primary authentication system is actively protecting the account. The solution demonstrates proper access control implementation where the system enforces temporal and state-based restrictions on sensitive operations. This vulnerability maps to CWE-665 in the Common Weakness Enumeration taxonomy, which covers improper initialization of a resource, specifically in the context of authentication flow management. From an ATT&CK perspective, this vulnerability relates to T1566 (Phishing) and T1078 (Valid Accounts) as it enables attackers to maintain access through compromised credentials and bypass secondary protections, representing a privilege escalation vector that could lead to persistent access within secure environments. The remediation ensures proper session management and authentication state validation, preventing the creation of recovery codes during unauthorized phases of the authentication process and maintaining the integrity of the two-factor authentication security model.