Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNjl4LTV4bXctdjQ0eM4AA5zG
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Summary
Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server.
Details
The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.
PoC
- Capture login request in proxy tool like Burp Suite and select password field.
- Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a 400 Bad Request status code with the message "Invalid Password" and response length 769 on 1st request which was sent at Tue, 16 Jan 2024 18:31:32 GMT
Note: We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes.
- Here the attack is completed and we can see in the following image we get 200 OK status code with the message "Ok" and response length 1509 on 271st request which was sent at Tue, 16 Jan 2024 18:32:01 GMT.
This means attacker can try 271 requests in 56 seconds.
Impact
This vulnerability allows attackers to get super user-level access over the server.
Mitigation
It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like:
If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNjl4LTV4bXctdjQ0eM4AA5zG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: 23 days ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-c69x-5xmw-v44x, CVE-2024-24767
References:
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699
- https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
- https://nvd.nist.gov/vuln/detail/CVE-2024-24767
- https://pkg.go.dev/vuln/GO-2024-2614
- https://github.com/advisories/GHSA-c69x-5xmw-v44x
Blast Radius: 1.0
Affected Packages
go:github.com/IceWhaleTech/CasaOS-UserService
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 0.4.4.3, < 0.4.7
Fixed in: 0.4.7
All affected versions: 0.3.6, 0.3.7, 0.4.0, 0.4.1, 0.4.2, 0.4.4, 0.4.5
All unaffected versions: 0.4.7