Headline
CVE-2022-2457: admin console prone to brute force attack
A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts.
Description Paramvir jindal 2022-07-18 08:05:41 UTC
IBM pentesting results : https://docs.google.com/spreadsheets/d/1Iwbhk0lwGoNskLidsY5CXmc5MwKt5VfmJCaX21xyruo
The application does not limit the number of unsuccessful login attempts. Not limiting the number of unsuccessful login attempts exposes the application to a brute force attack in which a malicious user tries to gain access to the application by sending a large number of possible passwords and/or usernames, ie., Dictionary based attacks. Also, The weakness occurs when the application does not check complexity or minimum length of the provided passwords. Entire security of application depends on its authentication mechanism. Weak password requirements allow users to create weak passwords, susceptible to a variety of attacks. Passwords are prune to Brute force attacks, an attacker can easily brute force the passwords if the password policy is weak. It is observed that There is no Account Lockout implemented for Business Central Application and New Users can be created by Admin with weak passwords. Steps to Reproduce:
- Open the Business Central Login page of the application
- Enter wrong credentials.
- Try to do the same activity more than 10 times
- Check account lockout after entering the wrong password more than 10 times Observations: The account is not locked out after entering the wrong password for more than 1000 times