|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#170394
WebEOC account lock-out policy may allow a denial-of-service
OverviewWebEOC account lock out policy may allow a remote attacker to disable user and system accounts resulting in a denial-of-service condition.
I. DescriptionWebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC implements a system-wide lock-out policy that is disables an account upon three consecutive failed login attempts. In numerous places throughout the system, an attacker can easily retrieve the information necessary (i.e. usernames) to attempt a login for a particular account. Please note that an account can represent an individual user on one WebEOC site or a system account for another WebEOC site.
Users are authenticated into the WebEOC system by entering a username and password on the WebEOC login web page. The WebEOC login webpage displays all registered usernames within a drop-down list. If a remote attacker gains access to the WebEOC login page, they can intentionally enter a wrong password three consecutive times for a particular user, locking that users account.
WebEOC supports Dual Commit, which is a process that connects multiple WebEOC installations so they can exchange information. Individual WebEOC sites are authenticated into a Dual Commit session via a system account known as the Dual Commit account. Dual Commit accounts are governed by the same lock out policy as individual user accounts. Consequently, they are vulnerable to the same types of attacks. For example, an attacker can cause a denial-of-service condition across multiple EOC sites by attacking the Dual Commit functionality. If a remote attacker repeatedly sends a specially crafted URI containing incorrect login information to a Dual Commit account, that attacker may be able to exploit the lock-out policy to terminate the active Dual Commit connection and lock the Dual Commit account.
In both cases (user accounts and Dual Commit accounts), users will experience a denial of service until the attacked account is manually unlocked.
II. ImpactAn unauthenticated, remote attacker may be able to exploit the lock-out policy to lock valid accounts. As a result individual users or WebEOC sites may experience a complete denial-of-service. Recoving from this attack requires a WebEOC administrator to manually unlock the attacked account.
III. SolutionUpgrade
Version 6.0.2 corrects this vulnerability. According to ESi:
This vulnerability has been addressed in version 6.0.2 by providing the option to not present a list of valid user names on the login page. In addition, lockout configuration for the number of failed login attempts and length of time a lockout lasts are included in the administrative functions. The site can now unlock the user’s account automatically after a defined period of time as specified in the General Settings tab.
To obtain WebEOC upgrades, contact ESi Technical Support
Restrict Access
When possible, restrict access to the WebEOC login pages to only known and trusted users.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| ESi | Vulnerable | 21-Jun-2005 |
References
http://www.esi911.com/esi/products/webeoc.shtml
http://www.esi911.com/esi/support/support.htm
Credit
This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.
This document was written by Jeff Gennari.
Other Information
| Date Public | 07/13/2005 |
| Date First Published | 07/13/2005 10:58:19 AM |
| Date Last Updated | 07/14/2005 |
| CERT Advisory | |
| CVE Name | |
| US-CERT Technical Alerts | |
| Metric | 1.82 |
| Document Revision | 127 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader