CVE-2024-2464: Application users enumeration in CDeX
Vulnerability detected by me in the CDeX software offered by the company of the same name. This vulnerability occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
Overview
On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”
Vulnerability description
Access to the platform is possible through logging in with SSO (Single Sign-On) or by using login data, including the username and password. If a user forgets their password, they can use the password recovery option. An attacker, by utilizing the password recovery mechanism and analyzing differences in the responses received, can effectively identify users of the application.
Exploitation scenario
The example of exploiting the vulnerability is presented in the following video:
Timeline
Date | Action |
---|---|
1 February 2024 | Report sent to CDeX |
15 February 2024 | Report sent to CERT Polska |
23 February 2024 | CDeX confirms the vulnerability exists |
11 March 2024 | CDeX releases a software patch |
15 March 2024 | CERT Polska assigns CVE-2024-2464 to this vulnerability |
21 March 2024 | CERT Polska publishes the vulnerability |
How to prevent similar vulnerabilities in your application
It is considerably easier for an attacker to break your authentication mechanisms if you reveal that a user exists on the system. There are even certain situations where, due to the nature of the website, the knowledge that a particular person has an account is sensitive information in itself.
Regardless of whether an attempted username is valid, it is important to use identical, generic error messages, and make sure they really are identical. You should always return the same HTTP status code with each login request and, finally, make the response times in different scenarios as indistinguishable as possible.