Werk #16830: Bruteforce protection for two factor authentication

Komponente

Core & setup

Titel

Bruteforce protection for two factor authentication

Datum

06.06.2024

Level

Kleine Änderung

Klasse

Sicherheitsfix

Kompatibilität

Kompatibel - benötigt kein manuelles Eingreifen

Checkmk versions & editions

2.4.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p6	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.

This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

2.3.0

Indicators of Compromise:

Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and assigned CVE CVE-2024-28833.

Zur Liste aller Werks