Werk #16830: Bruteforce protection for two factor authentication

Component Core & setup
Title Bruteforce protection for two factor authentication
Date Jun 6, 2024
Checkmk Version 2.4.0b1 2.3.0p6
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Affected Editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p6 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.

This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0

Indicators of Compromise:

Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and assigned CVE CVE-2024-28833.

To the list of all Werks