[24692] in bugtraq
Account Lockout Vulnerability in Oblix NetPoint v5.2
daemon@ATHENA.MIT.EDU (Bill Canning)
Thu Mar 14 20:09:20 2002
Date: 14 Mar 2002 08:21:02 -0000
Message-ID: <20020314082102.14955.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Bill Canning <william.canning@ey.com>
To: bugtraq@securityfocus.com
Name: Oblix NetPoint 5.2 Account
Lockout Bug
Vendor: Oblix
Homepage:
http://www.oblix.com/products/netpoint/inde
x.html
Versions: Confirmed on v5.2, probable on
earlier versions
Severity: Medium to High Risk
Description:
"Oblix NetPoint creates a unified e-business
infrastructure by providing an integrated access
control and identity management solution that can be
extended to all e-business initiatives. It gets its power
and flexibility from a three-tier Web services
architecture." (Oblix NetPoint Product Description)
Issues:
Ernst & Young security professionals have
discovered a security vulnerability in the latest version
of Oblix NetPoint (v5.2). The vulnerability involves
account lockout processing. The problem is that if a
user attempts to login repeatedly with an invalid
password, the user's account is locked temporarily
for a configurable lockout period after a configurable
number of invalid attempts. However, after the
lockout period expires, the system cannot lock that
account again no matter how many invalid attempts
are made to login. The account can only be relocked
after a successful login occurs. The effect is that
after the first lockout occurs, the account is
vulnerable to automated or manual password
cracking.
This bug may or may not be present in versions of
NetPoint prior to v5.2. Oblix has created a patch for
this vulnerability under v5.2.
Recommendation:
Either test your system yourself, or contact Oblix to
determine if your version of NetPoint is vulnerable. If
your installation is vulnerable, contact Oblix for a
patch as soon as possible. In any case, you should
install the patch from Oblix as soon as it is available.
Exploits:
No specific exploits exist for this vulnerability,
although any automated web-based password
guesser could be used to break into a vulnerable
system.
Reported By:
Bill Canning (william.canning@ey.com)
