Werk #16830: Bruteforce protection for two factor authentication

Component Core & setup
Title Bruteforce protection for two factor authentication
Date Jun 6, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p6 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.

This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0

Indicators of Compromise:

Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and assigned CVE CVE-2024-28833.

To the list of all Werks