Security teams are concerned about the visible messages that appear on the Operator Console (OC) Web Page when the wrong credentials are inserted.
In DX UIM 20.4CU10 and earlier and on DX UIM 23.4CU1 and earlier, it is possible to enumerate user account that have attempted to log in.
Giving an incorrect username provides "Invalid Credentials" Error. When the username is correct the server returns the error message Iinvalid Credentials. Attempt(s) Left:2"
Affected Version: DX UIM 20.4CU10 and earlier and on DX UIM 23.4CU1 and earlier
Vulnerability Prevention
We have enhanced the OC Login GUI to be more secure. Instead of displaying specific error messages for each wrong password attempt, we will now show a generic message "Invalid Credentials" for any incorrect input.
Additionally, once the user account is locked due to configured wrong attempts, we'll display an account locked message. This means users won't be informed of the remaining attempts after each wrong password input.
This Enhanced will be delivered with the upcoming:
DX UIM 23.4CU3 (no ETA yet for release)
and
DX UIM 20.4CU11 (not Eta yet for release)