CVE-2024-46937 is an improper access control vulnerability classified as an Insecure Direct Object Reference (IDOR) in MFASOFT Secure Authentication Server (SAS) versions 1.8.x through 1.9.x prior to 1.9.040924. The flaw exists in the /api-selfportal/get-info-token-properties API endpoint, which is designed to retrieve properties of user tokens. Due to insufficient access controls, remote attackers can enumerate the 'serial' parameter, which follows a predictable numeric pattern (e.g., GA00001, GA00002, GA00003, etc.), to brute-force and retrieve token information without any authentication. This allows attackers to gain unauthorized access to sensitive token data that could be used to bypass multi-factor authentication mechanisms or impersonate legitimate users. The vulnerability does not require any privileges or user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS v3.1 base score of 9.1 reflects the critical nature of this vulnerability, with high impact on confidentiality and integrity but no impact on availability. The vulnerability is tracked under CWE-639 (Authorization Bypass Through User-Controlled Key) and has been publicly disclosed as of September 16, 2024. No patches or known exploits have been reported at the time of disclosure, but the predictable token serial enumeration makes exploitation feasible for determined attackers.

The impact of CVE-2024-46937 is significant for organizations relying on MFASOFT Secure Authentication Server for multi-factor authentication. Successful exploitation allows attackers to retrieve user tokens without authentication, effectively bypassing MFA protections. This can lead to unauthorized access to sensitive systems, data breaches, and potential lateral movement within networks. Confidentiality is severely compromised as attackers gain access to authentication tokens, and integrity is affected because attackers can impersonate legitimate users. Although availability is not impacted, the breach of authentication mechanisms undermines overall security posture. Organizations in sectors with high security requirements, such as finance, healthcare, government, and critical infrastructure, face elevated risks. The ease of exploitation due to predictable token serials and lack of authentication requirements increases the likelihood of attacks, potentially leading to widespread compromise if not mitigated promptly.

To mitigate CVE-2024-46937, organizations should immediately upgrade MFASOFT Secure Authentication Server to version 1.9.040924 or later once available. In the absence of an official patch, implement compensating controls such as rate limiting and IP throttling on the /api-selfportal/get-info-token-properties endpoint to prevent brute-force enumeration of token serials. Employ network-level access controls to restrict access to the API endpoint only to trusted internal networks or VPN users. Monitor logs for unusual access patterns or repeated requests to the serial parameter indicative of brute-force attempts. Consider implementing additional authentication or verification steps before disclosing token properties. Conduct a thorough audit of token issuance and usage to detect any unauthorized access. Finally, educate security teams about this vulnerability and prepare incident response plans to quickly address potential exploitation attempts.