📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
🤖 AI Executive Summary
WWBN AVideo versions up to 26.0 use cryptographically broken 512-bit RSA keys in their PGP 2FA system, allowing attackers to factor the keys on commodity hardware within hours and completely bypass two-factor authentication. Unauthenticated endpoints also expose CPU-intensive operations to denial-of-service attacks. This is a critical authentication bypass affecting any organization using AVideo for secure video content delivery or internal communications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 4, 2026 23:33
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WWBN AVideo for secure video platforms—particularly in government agencies (NCA, Ministry of Interior), banking sector (SAMA-regulated institutions), healthcare (MOH), and energy sector (ARAMCO)—face complete authentication bypass. Attackers can impersonate any user with 2FA enabled, access sensitive video content, modify communications, and establish persistent access. The unauthenticated endpoints also enable resource exhaustion attacks against infrastructure. Organizations relying on AVideo for classified or sensitive communications face severe data breach and integrity risks.
🏢 Affected Saudi Sectors
Government (NCA, Ministry of Interior, Ministry of Defense)
Banking (SAMA-regulated financial institutions)
Healthcare (Ministry of Health, private hospitals)
Energy (ARAMCO, utility companies)
Telecommunications (STC, Mobily, Zain)
Education (universities using AVideo for secure content)
Media and Broadcasting
🎯 MITRE ATT&CK Techniques
T1110 — Brute Force (2FA bypass via key factorization)
T1556 — Modify Authentication Process (2FA compromise)
T1040 — Network Sniffing (public key interception)
T1021 — Remote Services (unauthorized access post-bypass)
T1498 — Network Denial of Service (CPU exhaustion via unauthenticated endpoints)
T1190 — Exploit Public-Facing Application (unauthenticated endpoints)
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade WWBN AVideo to version 26.1 or later (commit 00d979d87f8182095c8150609153a43f834e351e or newer)
2. Disable PGP 2FA functionality until patched
3. Force password reset for all users with 2FA enabled
4. Review access logs for suspicious authentication patterns (multiple failed 2FA attempts, unusual geographic logins)
5. Restrict network access to generateKeys.json.php and encryptMessage.json.php endpoints via WAF/firewall rules
PATCHING GUIDANCE:
- Apply patch from commit 00d979d87f8182095c8150609153a43f834e351e
- Verify RSA key generation uses minimum 2048-bit keys (4096-bit recommended)
- Implement authentication checks on all key generation endpoints
COMPENSATING CONTROLS (if immediate patching impossible):
- Disable 2FA feature entirely until patched
- Implement IP whitelisting for generateKeys.json.php and encryptMessage.json.php
- Deploy rate limiting (max 5 requests/minute per IP) on cryptographic endpoints
- Monitor CPU usage spikes indicating key generation attacks
DETECTION RULES:
- Alert on multiple requests to generateKeys.json.php or encryptMessage.json.php from same IP
- Flag 2FA bypass attempts (successful login immediately after failed 2FA)
- Monitor for RSA key exports or public key access patterns
- Log all access to /LoginControl plugin endpoints
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية WWBN AVideo إلى الإصدار 26.1 أو أحدث (commit 00d979d87f8182095c8150609153a43f834e351e أو أحدث)
2. تعطيل وظيفة PGP 2FA حتى يتم إصلاحها
3. فرض إعادة تعيين كلمة المرور لجميع المستخدمين الذين لديهم 2FA مفعل
4. مراجعة سجلات الوصول للأنماط المريبة (محاولات 2FA الفاشلة المتعددة، عمليات تسجيل دخول جغرافية غير عادية)
5. تقييد الوصول إلى نقاط نهاية generateKeys.json.php و encryptMessage.json.php عبر قواعد WAF/جدار الحماية
إرشادات التصحيح:
- تطبيق الإصلاح من commit 00d979d87f8182095c8150609153a43f834e351e
- التحقق من أن توليد مفاتيح RSA يستخدم مفاتيح بحد أدنى 2048 بت (4096 بت موصى به)
- تنفيذ فحوصات المصادقة على جميع نقاط نهاية توليد المفاتيح
الضوابط البديلة (إذا كان التصحيح الفوري مستحيلاً):
- تعطيل ميزة 2FA بالكامل حتى يتم إصلاحها
- تنفيذ قائمة بيضاء IP لـ generateKeys.json.php و encryptMessage.json.php
- نشر تحديد معدل (5 طلبات كحد أقصى/دقيقة لكل IP) على نقاط نهاية التشفير
- مراقبة ارتفاعات استخدام CPU التي تشير إلى هجمات توليد المفاتيح
قواعد الكشف:
- تنبيه عند طلبات متعددة إلى generateKeys.json.php أو encryptMessage.json.php من نفس IP
- وضع علم على محاولات تجاوز 2FA (تسجيل دخول ناجح فوراً بعد فشل 2FA)
- مراقبة أنماط تصدير مفاتيح RSA أو الوصول إلى المفاتيح العامة
- تسجيل جميع الوصول إلى نقاط نهاية /LoginControl plugin
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 — User authentication mechanisms (2FA bypass)
ECC 2024 A.10.1.1 — Cryptographic controls (512-bit RSA is non-compliant)
ECC 2024 A.8.2.3 — User access management (authentication bypass)
ECC 2024 A.12.6.1 — Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 — Asset management (cryptographic assets)
SAMA CSF PR.AC-1 — Access control and authentication
SAMA CSF PR.AC-6 — Cryptographic controls
SAMA CSF DE.CM-1 — Detection and monitoring
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 — Cryptography (512-bit RSA non-compliant with A.5.15.1)
ISO 27001:2022 A.8.2 — User access management (authentication bypass)
ISO 27001:2022 A.8.3 — User responsibilities (2FA compromise)
ISO 27001:2022 A.14.2.1 — Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 — Strong cryptography (512-bit RSA fails requirement)
PCI DSS 8.3 — Multi-factor authentication (2FA bypass)
PCI DSS 6.2 — Security patches and updates
🔗 References & Sources 3
🔗
https://github.com/WWBN/AVideo/commit/00d979d87f8182095c8150609153a43f834e351e
security-advisories@github.com
Patch
🔗
https://github.com/WWBN/AVideo/security/advisories/GHSA-6m5f-j7w2-w953
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/WWBN/AVideo/security/advisories/GHSA-6m5f-j7w2-w953
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
wwbn:avideo