Skip to content

Improper Restriction of Excessive Authentication Attempts in CasaOS

High
tigerinus published GHSA-c69x-5xmw-v44x Mar 6, 2024

Package

https://github.com/IceWhaleTech/CasaOS-UserService (Casa OS)

Affected versions

v0.4.4.3

Patched versions

v0.4.7

Description

Summary

Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server.

Details

The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.

PoC

  1. Capture login request in proxy tool like Burp Suite and select password field.

1

  1. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a 400 Bad Request status code with the message "Invalid Password" and response length 769 on 1st request which was sent at Tue, 16 Jan 2024 18:31:32 GMT

2

Note: We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes.

  1. Here the attack is completed and we can see in the following image we get 200 OK status code with the message "Ok" and response length 1509 on 271st request which was sent at Tue, 16 Jan 2024 18:32:01 GMT.

3

This means attacker can try 271 requests in 56 seconds.

Impact

This vulnerability allows attackers to get super user-level access over the server.

Mitigation

It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like:
If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-24767

Weaknesses

Credits