CVE-2024-45394: 
NixOS vulnerability analysis and mitigation

Authenticator, a browser extension for generating two-step verification codes, was found to have a significant security vulnerability in versions 7.0.0 and below. The vulnerability (CVE-2024-45394) involves encryption keys for user data being stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF, making them susceptible to brute-force attacks. The vulnerability was discovered through a code review sponsored by the University of Luxembourg and was publicly disclosed on September 3, 2024 (GitHub Advisory).

The vulnerability stems from inadequate encryption strength (CWE-326) and the use of weak encoding for passwords (CWE-261). The issue received a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating local access requirements but high potential impact on confidentiality, integrity, and availability (NVD).

Attackers who obtain a copy of a user's data can potentially brute-force the user's encryption key, potentially compromising the security of two-factor authentication codes. This could lead to unauthorized access to accounts protected by the compromised two-factor authentication (GitHub Advisory).

Users are advised to upgrade to version 8.0.0 or above, which automatically migrates away from the weak encoding on first login. Additionally, users should destroy any encrypted backups made with versions prior to 8.0.0 to prevent potential exploitation (GitHub Advisory).