Vulnerability Note VU#170394

WebEOC account lock-out policy may allow a denial-of-service

Original Release date: 13 Jul 2005 | Last revised: 14 Jul 2005

Overview

WebEOC account lock out policy may allow a remote attacker to disable user and system accounts resulting in a denial-of-service condition.

Description

WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC implements a system-wide lock-out policy that is disables an account upon three consecutive failed login attempts. In numerous places throughout the system, an attacker can easily retrieve the information necessary (i.e. usernames) to attempt a login for a particular account. Please note that an account can represent an individual user on one WebEOC site or a system account for another WebEOC site.

Users are authenticated into the WebEOC system by entering a username and password on the WebEOC login web page. The WebEOC login webpage displays all registered usernames within a drop-down list. If a remote attacker gains access to the WebEOC login page, they can intentionally enter a wrong password three consecutive times for a particular user, locking that users account.

WebEOC supports Dual Commit, which is a process that connects multiple WebEOC installations so they can exchange information. Individual WebEOC sites are authenticated into a Dual Commit session via a system account known as the Dual Commit account. Dual Commit accounts are governed by the same lock out policy as individual user accounts. Consequently, they are vulnerable to the same types of attacks. For example, an attacker can cause a denial-of-service condition across multiple EOC sites by attacking the Dual Commit functionality. If a remote attacker repeatedly sends a specially crafted URI containing incorrect login information to a Dual Commit account, that attacker may be able to exploit the lock-out policy to terminate the active Dual Commit connection and lock the Dual Commit account.

In both cases (user accounts and Dual Commit accounts), users will experience a denial of service until the attacked account is manually unlocked.

Impact

An unauthenticated, remote attacker may be able to exploit the lock-out policy to lock valid accounts. As a result individual users or WebEOC sites may experience a complete denial-of-service. Recoving from this attack requires a WebEOC administrator to manually unlock the attacked account.

Solution

Upgrade

Version 6.0.2 corrects this vulnerability. According to ESi:

    This vulnerability has been addressed in version 6.0.2 by providing the option to not present a list of valid user names on the login page. In addition, lockout configuration for the number of failed login attempts and length of time a lockout lasts are included in the administrative functions. The site can now unlock the user’s account automatically after a defined period of time as specified in the General Settings tab.
To obtain WebEOC upgrades, contact ESi Technical Support

Restrict Access

When possible, restrict access to the WebEOC login pages to only known and trusted users.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ESiAffected-21 Jun 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 13 Jul 2005
  • Date First Published: 13 Jul 2005
  • Date Last Updated: 14 Jul 2005
  • Severity Metric: 1.82
  • Document Revision: 127

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.