User Enumeration and account brute force within Eucalyptus 1.6.2 for Enterprise Cloud
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Eucalyptus |
Fix Released
|
Undecided
|
Daniel Nurmi | ||
eucalyptus (Ubuntu) |
Fix Released
|
High
|
Chris Cheney | ||
Lucid |
Fix Released
|
Low
|
Chris Cheney | ||
Maverick |
Fix Released
|
High
|
Chris Cheney |
Bug Description
I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.
When an incorrect user name is supplied to the login page the following error is returned:
Error: Incorrect password
As compared to an invalid user name which gives:
Error: Username '' not found
Once a valid username has been identified it is then possible to brute force the password without any account lock out.
======
IMPACT:
* This bug allows someone to brute force user name and passwords on UEC by telling them specifically what is wrong about the login attempt.
ADDRESSED:
* This bug is addressed by changing the error messages to be a less descriptive 'Login incorrect'.
REPRODUCE:
* To reproduce this issue, try to login with an invalid username or password.
REGRESSION POTENTIAL:
* The chances for regression are relatively low.
======
Related branches
- Mathias Gug: Approve
- Dave Walker: Pending requested
- Diff: 0 lines
Changed in eucalyptus (Ubuntu Maverick): | |
assignee: | Dave Walker (davewalker) → Chris Cheney (ccheney) |
description: | updated |
visibility: | private → public |
Changed in eucalyptus: | |
status: | New → Fix Released |
Thanks, this clearly needs to be fixed. Luckily it does not provide an immediate security threat, as the brute forcing may take a while.