Werk #15198: Brute-force protection ineffective for some login methods
| Component | Setup |
| Title | Brute-force protection ineffective for some login methods |
| Date | Apr 9, 2024 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.1.0p43 2.2.0p26 2.3.0b5 2.4.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets.
This issue was found during internal review.
Affected Versions:
- 2.3.0 (beta)
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Mitigations:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
and assigned CVE CVE-2024-28825.
