OC authentication page allows user enumeration through detailed error messages
search cancel

OC authentication page allows user enumeration through detailed error messages

book

Article ID: 366697

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Security teams are concerned about the visible messages that appear on the Operator Console (OC) Web Page when the wrong credentials are inserted. 

In DX UIM 20.4CU10 and earlier and on DX UIM 23.4CU1 and earlier, it is possible to enumerate user account that have attempted to log in. 

Giving an incorrect username provides "Invalid Credentials" Error. When the username is correct the server returns the error message Iinvalid Credentials. Attempt(s) Left:2" 

 

 

Environment

Affected Version: DX UIM 20.4CU10 and earlier and on DX UIM 23.4CU1 and earlier

Cause

Vulnerability Prevention

Resolution

We have enhanced the OC Login GUI to be more secure. Instead of displaying specific error messages for each wrong password attempt, we will now show a generic message "Invalid Credentials" for any incorrect input.

Additionally, once the user account is locked due to configured wrong attempts, we'll display an account locked message. This means users won't be informed of the remaining attempts after each wrong password input. 

This Enhanced will be delivered with the upcoming: 

DX UIM 23.4CU3 (no ETA yet for release)

and 

DX UIM 20.4CU11 (not Eta yet for release)