search menu icon-carat-right cmu-wordmark

CERT Coordination Center

WebEOC account lock-out policy may allow a denial-of-service

Vulnerability Note VU#170394

Original Release Date: 2005-07-13 | Last Revised: 2005-07-14

Overview

WebEOC account lock out policy may allow a remote attacker to disable user and system accounts resulting in a denial-of-service condition.

Description

WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC implements a system-wide lock-out policy that is disables an account upon three consecutive failed login attempts. In numerous places throughout the system, an attacker can easily retrieve the information necessary (i.e. usernames) to attempt a login for a particular account. Please note that an account can represent an individual user on one WebEOC site or a system account for another WebEOC site.

Users are authenticated into the WebEOC system by entering a username and password on the WebEOC login web page. The WebEOC login webpage displays all registered usernames within a drop-down list. If a remote attacker gains access to the WebEOC login page, they can intentionally enter a wrong password three consecutive times for a particular user, locking that users account.

WebEOC supports Dual Commit, which is a process that connects multiple WebEOC installations so they can exchange information. Individual WebEOC sites are authenticated into a Dual Commit session via a system account known as the Dual Commit account. Dual Commit accounts are governed by the same lock out policy as individual user accounts. Consequently, they are vulnerable to the same types of attacks. For example, an attacker can cause a denial-of-service condition across multiple EOC sites by attacking the Dual Commit functionality. If a remote attacker repeatedly sends a specially crafted URI containing incorrect login information to a Dual Commit account, that attacker may be able to exploit the lock-out policy to terminate the active Dual Commit connection and lock the Dual Commit account.

In both cases (user accounts and Dual Commit accounts), users will experience a denial of service until the attacked account is manually unlocked.

Impact

An unauthenticated, remote attacker may be able to exploit the lock-out policy to lock valid accounts. As a result individual users or WebEOC sites may experience a complete denial-of-service. Recoving from this attack requires a WebEOC administrator to manually unlock the attacked account.

Solution

Upgrade

Version 6.0.2 corrects this vulnerability. According to ESi:

This vulnerability has been addressed in version 6.0.2 by providing the option to not present a list of valid user names on the login page. In addition, lockout configuration for the number of failed login attempts and length of time a lockout lasts are included in the administrative functions. The site can now unlock the user’s account automatically after a defined period of time as specified in the General Settings tab.

To obtain WebEOC upgrades, contact ESi Technical Support

Restrict Access

When possible, restrict access to the WebEOC login pages to only known and trusted users.

Vendor Information

170394
 
Affected   Unknown   Unaffected

ESi

Updated:  June 21, 2005

Status

  Vulnerable

Vendor Statement

This vulnerability has been addressed in version 6.0.2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 1.82
Date Public: 2005-07-13
Date First Published: 2005-07-13
Date Last Updated: 2005-07-14 16:32 UTC
Document Revision: 127

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.