GHSA-C69X-5XMW-V44X

Vulnerability from github – Published: 2024-03-06 15:25 – Updated: 2025-04-10 23:07
VLAI?
Summary
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Details

Summary

Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server.

Details

The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.

PoC

  1. Capture login request in proxy tool like Burp Suite and select password field.

1

  1. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a 400 Bad Request status code with the message "Invalid Password" and response length 769 on 1st request which was sent at Tue, 16 Jan 2024 18:31:32 GMT

2

Note: We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes.

  1. Here the attack is completed and we can see in the following image we get 200 OK status code with the message "Ok" and response length 1509 on 271st request which was sent at Tue, 16 Jan 2024 18:32:01 GMT.

3

This means attacker can try 271 requests in 56 seconds.

Impact

This vulnerability allows attackers to get super user-level access over the server.

Mitigation

It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like: If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.

Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/IceWhaleTech/CasaOS-UserService"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.4.3"
            },
            {
              "fixed": "0.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T15:25:08Z",
    "nvd_published_at": "2024-03-06T18:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nHere it is observed that the CasaOS doesn\u0027t defend against password brute force attacks, which leads to having full access to the server.\n\n### Details\nThe web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.\n\n### PoC\n1. Capture login request in proxy tool like Burp Suite and select password field.\n\n![1](https://user-images.githubusercontent.com/63414468/297156515-0272bfd7-f386-4c22-b3bd-c4dbdc1298bf.PNG)\n\n2. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a **400 Bad Request** status code with the message \"**Invalid Password**\" and response length **769** on 1st request which was sent at **_Tue, 16 Jan 2024 18:31:32 GMT_**\n\n![2](https://user-images.githubusercontent.com/63414468/297157815-c158995b-7d46-4a5a-aef9-bcbbcf596b15.png)\n\n**Note**:  _We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes._\n\n\n3. Here the attack is completed and we can see in the following image we get **200 OK** status code with the message \"**Ok**\" and response length **1509** on 271st request which was sent at **_Tue, 16 Jan 2024 18:32:01 GMT_**.\n\n![3](https://user-images.githubusercontent.com/63414468/297159282-3f4788b5-6217-4f32-8be6-40ac117710e3.png)\n\nThis means attacker can try 271 requests in 56 seconds.\n\n### Impact\nThis vulnerability allows attackers to get super user-level access over the server.\n\n\n### Mitigation\nIt is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like:\nIf a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.",
  "id": "GHSA-c69x-5xmw-v44x",
  "modified": "2025-04-10T23:07:21Z",
  "published": "2024-03-06T15:25:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2614"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.