CVE-2024-24767
HIGH7.3EPSS 0.70%CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Description
### Summary Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. ### Details The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the. ### PoC 1. Capture login request in proxy tool like Burp Suite and select password field.  2. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a **400 Bad Request** status code with the message "**Invalid Password**" and response length **769** on 1st request which was sent at **_Tue, 16 Jan 2024 18:31:32 GMT_**  **Note**: _We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes._ 3. Here the attack is completed and we can see in the following image we get **200 OK** status code with the message "**Ok**" and response length **1509** on 271st request which was sent at **_Tue, 16 Jan 2024 18:32:01 GMT_**.  This means attacker can try 271 requests in 56 seconds. ### Impact This vulnerability allows attackers to get super user-level access over the server. ### Mitigation It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like: If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.
Affected packages (2)
- Go/github.com/IceWhaleTech/CasaOS-UserService>= 0.4.4.3, < 0.4.7
- Go/github.com/IceWhaleTech/CasaOS-UserService>= 0.4.4-3-alpha1, < 0.4.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-24767
- PATCHhttps://github.com/IceWhaleTech/CasaOS-UserService
- WEBhttps://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699
- WEBhttps://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
- WEBhttps://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x
- WEBhttps://pkg.go.dev/vuln/GO-2024-2614