[Security:low] Adding registrable 2F does not test the current authn level
Concerned version
Version: 2.0.15
Summary
This issue can be reproduced in a lot of different ways
Case 1
Given that:
- User has registered TOTP, lvl5
- LemonLDAP also allows WebAuthn, lvl5
- LemonLDAP uses sfOnlyUpgrade==1
A hacker can:
- Login with stolen password
- Add their own WebAuthn
- Use it to login at lvl5
Case 2
Given that:
- LLNG allows weak 2FA by email, lvl3
- User has registered WebAuthn, lvl5
A hacker can:
- Login with stolen password + stolen email code at lvl3
- Register an additional WebAuthn device that they control
- Login with the controlled WebAuthn device at lvl5
See also
#2332 (closed) for a similar issue
Possible fixes
These issues seem to be caused by the fact that we allow registering a new 2FA device even at a low authnlevel, even if a high-level 2FA device already exists.
I suggest that we extend the checks done in #2332 (closed) to also apply to registration and not just deletion.
However we need to allow registrating a high-level 2FA device from a low-level session only if no high-level 2FA device already exist, to avoid a chicken-and-egg situation