Werk #15198: Brute-force protection ineffective for some login methods

Component Setup
Title Brute-force protection ineffective for some login methods
Date Apr 9, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b5 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p26 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p43 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.

This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts.

Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets.

This issue was found during internal review.

Affected Versions:

  • 2.3.0 (beta)
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Mitigations:

If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and assigned CVE CVE-2024-28825.

To the list of all Werks