Werk #16830: Bruteforce protection for two factor authentication
| Component | Core & setup | ||||
| Title | Bruteforce protection for two factor authentication | ||||
| Date | Jun 6, 2024 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
Indicators of Compromise:
Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
and assigned CVE CVE-2024-28833.