[midPoint] Security Advisory: SOAP Web Service Vulnerable To Brute Force Attack
Radovan Semancik
radovan.semancik at evolveum.com
Tue Jul 9 15:43:03 CEST 2019
Date: 9 July 2019
Severity: Medium (CVSS 4.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1
(unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
Description
SOAP-based web service interface of midPoint does not limit
authentication attempts.
Severity and Impact
An attacker with access to midPoint SOAP web service can issue numerous
operation requests without any limitation of wrong authentication
attempts. This can be used by an attacker for brute force attacks on
user passwords.
Mitigation
Users of affected MidPoint versions are advised to upgrade their
deployments to the latest builds from the support branches.
As this is a medium severity issue, it is not forcing official
maintenance releases of midPoint. However, the fix is provided in all
the support branches.
Discussion and Explanation
MidPoint is using custom authentication module for SOAP web services.
Although authentication attempts were properly limited in midPoint user
interface and REST service, such limitation was not applied to SOAP web
service.
As SOAP web service is usually not accessible to public use, impact of
this security vulnerability is limited. Even though the SOAP interface
is becoming obsolete and it is going to be deprecated in midPoint 4.0,
this security vulnerability was fixed in all supported versions of midPoint.
RESTful interface is not affected by this vulnerability.
Credit
This issue was reported by tester known as nistr by the means of EU-Free
and Open Source Software Auditing (EU-FOSSA2) project.
See Also
https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+SOAP+Web+Service+Vulnerable+To+Brute+Force+Attack
--
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190709/4cbf1501/attachment.htm>
More information about the midPoint
mailing list