Super gluu device with oxStatus: compromised

By: Alexandre Zia Account Admin 08 Oct 2020 at 8:40 a.m. CDT

12 Responses
Alexandre Zia gravatar
We have an user that is unnable to login through supergluu. looking at the logs oxauth is not getting it as a getAvailMethodsUser looking at Ldap, it has attribute "oxStatus" set as "compromised" what does that means? what are the conditions that oxauth sets a fido device as compromised? thanks in advance
CentOS 7.7
closed

Answers

By Alexandre Zia Account Admin 08 Oct 2020 at 9:25 a.m. CDT

Copy
Alexandre Zia gravatar
I was taking a look at oxAuth source code, and seems like there's a counter: oxCounter to limit the maximum number of authentications some of my users that registered 5 months ago have this oxCounter value too high: 2147483647 and they are with oxStatus: compromised Does this smells like some sort of bug? it's impossible that they have authenticated that amount of times ...

By Alexandre Zia Account Admin 08 Oct 2020 at 9:26 a.m. CDT

Copy
Alexandre Zia gravatar
Sorry I've clicked on "Post and Close" button, but it was not my intention to close this ticket, can you please re-open?

By Domagoj Dom user 09 Oct 2020 at 3:34 a.m. CDT

Copy
Domagoj Dom gravatar
+1 for this, we have the same issue. Gluu version 4.1 We have an update, it seems that it is related only to Iphones. Maybe the latest IOS app upgrade ?

By Alexandre Zia Account Admin 09 Oct 2020 at 6:04 a.m. CDT

Copy
Alexandre Zia gravatar
Domagoj Dom is right, I was checking here and only iPhones are having this issue. The bad thing, increasing fast the amount of affected devices ...

By Dzouato Djeumen Rolain Bonaventure staff 09 Oct 2020 at 8:44 a.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello Alexandre, Let me take a look into the issue. Thanks for your patience.

By Guilherme Capilé Account Admin 12 Oct 2020 at 11:19 a.m. CDT

Copy
Guilherme Capilé gravatar
We're having the same case here, with Gluu server 3.1.6 on Centos 7, so far only iphone users have reported this issue. Any recommendations?

By Alexandre Zia Account Admin 13 Oct 2020 at 2:14 p.m. CDT

Copy
Alexandre Zia gravatar
We've created a script, run each 5 mins, to revert the devices marked as compromised. Only iPhones, no matter which iOS version, This is something that started recently to happen, we think it must be a recent super gluu for iOS update. Supergluu for iOS was updated in Oct/6 https://apps.apple.com/us/app/super-gluu/id1093479646 ``` 3.2.8 Oct 6, 2020 This version fixes a bug that could cause authentication attempts to be rejected. ```

By Alexandre Zia Account Admin 14 Oct 2020 at 8:29 a.m. CDT

Copy
Alexandre Zia gravatar
A few useragents of supergluu installs that got in 'compromised' state: ``` Super Gluu/34.0.8 (iPhone; iOS 13.7; Scale/2.00) Super Gluu/34.0.8 (iPhone; iOS 14.0; Scale/2.00) Super Gluu/34.0.8 (iPhone; iOS 13.6.1; Scale/2.00) Super Gluu/34.0.8 (iPhone; iOS 14.0.1; Scale/2.00) Super Gluu/34.0.8 (iPhone; iOS 14.0.1; Scale/2.00) Super Gluu/34.0.8 (iPhone; iOS 14.2; Scale/2.00) ```

By Dzouato Djeumen Rolain Bonaventure staff 14 Oct 2020 at 10:25 a.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello all, It looks like fixes for this issue are to be found in Gluu Server version 4.2.1 onwards , so the recommendation we can give you for now is to upgrade to the latest version. Thanks for your patience.

By Alexandre Zia Account Admin 14 Oct 2020 at 12:20 p.m. CDT

Copy
Alexandre Zia gravatar
Hi Dzouato Djeumen Rolain Bonaventure, Thanks for the update We have a huge setup in production, with several GUI customisations, unfortunately it's not that fast for us to upgrade right now. Can you please indicate the commits that fixes the issues so we'll try to backport here? Thanks in advance Zia

By Dzouato Djeumen Rolain Bonaventure staff 14 Oct 2020 at 12:45 p.m. CDT

Copy
Dzouato Djeumen Rolain Bonaventure gravatar
Hello Alexandre , Here are the commits: https://github.com/GluuFederation/oxAuth/commit/fe9b60b19e1404ae82b60dd3465a7e3afd702817 https://github.com/GluuFederation/oxAuth/commit/5c214fbd929c551730d27a130ae07a86e4166ae4 Hope it helps, Rolain

By Alexandre Zia Account Admin 14 Oct 2020 at 12:47 p.m. CDT

Copy
Alexandre Zia gravatar
Thanks a lot, will give it a try Regards

Post an answer