[midPoint] Security Advisory: SOAP Web Service Vulnerable To Brute Force Attack

Radovan Semancik radovan.semancik at evolveum.com
Tue Jul 9 15:43:03 CEST 2019


Date: 9 July 2019
Severity: Medium (CVSS 4.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)

Description

SOAP-based web service interface of midPoint does not limit 
authentication attempts.

Severity and Impact

An attacker with access to midPoint SOAP web service can issue numerous 
operation requests without any limitation of wrong authentication 
attempts. This can be used by an attacker for brute force attacks on 
user passwords.

Mitigation

Users of affected MidPoint versions are advised to upgrade their 
deployments to the latest builds from the support branches.
As this is a medium severity issue, it is not forcing official 
maintenance releases of midPoint. However, the fix is provided in all 
the support branches.

Discussion and Explanation

MidPoint is using custom authentication module for SOAP web services. 
Although authentication attempts were properly limited in midPoint user 
interface and REST service, such limitation was not applied to SOAP web 
service.

As SOAP web service is usually not accessible to public use, impact of 
this security vulnerability is limited. Even though the SOAP interface 
is becoming obsolete and it is going to be deprecated in midPoint 4.0, 
this security vulnerability was fixed in all supported versions of midPoint.

RESTful interface is not affected by this vulnerability.


Credit

This issue was reported by tester known as nistr by the means of EU-Free 
and Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+SOAP+Web+Service+Vulnerable+To+Brute+Force+Attack

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190709/4cbf1501/attachment.htm>


More information about the midPoint mailing list