CVE-2023-28862: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in LemonLDAP::NG before 2.16.1, identified as CVE-2023-28862. The vulnerability involves weak session ID generation in the AuthBasic handler and incorrect failure handling during password checks, affecting the authentication system's security (NVD, Rapid7).

The vulnerability stems from the AuthBasic handler's workflow where it computes a sessionid from login+password. If the sessionid exists in the session DB, it authenticates the user; otherwise, it attempts to create the corresponding session by sending the login+pass to the portal RESTServer plugin. The critical flaw is that only the store step is required in the login flow, meaning that if anything happens after the store step, AuthBasic will succeed because the fixed-id session has been successfully created (GitLab Issue). The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to bypass 2FA verification and potentially impersonate users with second factor authentication. Additionally, any plugin attempting to deny session creation after the store step fails to deny AuthBasic sessions, effectively compromising the authentication security measures (CERT-FR, Debian LTS).

The issue has been fixed in LemonLDAP::NG version 2.16.1. The fix includes refusing AuthBasic handler usage for users with a second factor. Administrators who require AuthBasic handlers for accounts with 2FA can append 'and not $ENV{AuthBasic}' to the 2FA activation rules (Debian LTS).