Bug 2107990 (CVE-2022-2457)

Summary:	CVE-2022-2457 Business-central: admin console prone to brute force attack
Product:	[Other] Security Response	Reporter:	Paramvir jindal <pjindal>
Component:	vulnerability	Assignee:	Nobody <nobody>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	alazarot, anstephe, emingora, ibek, jrokos, kverlaen, mnovotny, niipobwnledhqcjclq, pjindal, rguimara
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Business Central in Red Hat Process Automation Manager 7. This flaw allows an attacker to benefit from a brute force attack in the Administration Console. In this issue, the application does not limit the number of unsuccessful login attempts.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2107981, 2107995

Description Paramvir jindal 2022-07-18 08:05:41 UTC

IBM pentesting results :
https://docs.google.com/spreadsheets/d/1Iwbhk0lwGoNskLidsY5CXmc5MwKt5VfmJCaX21xyruo


The application does not limit the number of unsuccessful login attempts. Not limiting the
number of unsuccessful login attempts exposes the application to a brute force attack in
which a malicious user tries to gain access to the application by sending a large number of
possible passwords and/or usernames, ie., Dictionary based attacks.
Also, The weakness occurs when the application does not check complexity or minimum
length of the provided passwords. Entire security of application depends on its
authentication mechanism. Weak password requirements allow users to create weak
passwords, susceptible to a variety of attacks.
Passwords are prune to Brute force attacks, an attacker can easily brute force the passwords
if the password policy is weak.
It is observed that There is no Account Lockout implemented for Business Central
Application and New Users can be created by Admin with weak passwords.
Steps to Reproduce:
- Open the Business Central Login page of the application
- Enter wrong credentials.
- Try to do the same activity more than 10 times
- Check account lockout after entering the wrong password more than 10 times
Observations: The account is not locked out after entering the wrong password for more
than 1000 times

Comment 9 lily young 2022-12-19 10:51:24 UTC Comment hidden (spam)

The Premier League is a fantastic competition that offers sportsbook fans considerable rewards. However, if you want to be successful, you should follow our Premier League betting advice. The fundamental strategies that will help you succeed in the Premier League include betting on reliable clubs, concentrating on high-scoring activities, anticipating sensations, maintaining composure around conspiracies, and being fair with your spending. You may discover this info here at https://dailycannon.com/2022/05/premier-league-betting-tips/ about premier league betting tips. You can easily add to this list by making your own selections if there are still many more crucial Premier League betting tips to be found. Your knowledge and experience are everything.

Comment 10 EderMilitao 2023-03-03 16:12:16 UTC Comment hidden (spam)

End-clients report being satisfied with their interactions with https://outsourcecustomersupport.com/24-7-intouch-review/ team. Outsourcecustomersupport desire to expand their own knowledge and provide comprehensive service empowers them to provide effective solutions in a personable manner.