Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Account Lockout Vulnerability in Oblix NetPoint v5.2

From: Bill Canning <william.canning () ey com>
Date: 14 Mar 2002 08:21:02 -0000


Name:           Oblix NetPoint 5.2 Account 
Lockout Bug
Vendor:         Oblix
Homepage:
        http://www.oblix.com/products/netpoint/inde
x.html
Versions:               Confirmed on v5.2, probable on 
earlier versions
Severity:               Medium to High Risk

Description:

"Oblix NetPoint creates a unified e-business 
infrastructure by providing an integrated access 
control and identity management solution that can be 
extended to all e-business initiatives. It gets its power 
and flexibility from a three-tier Web services 
architecture." (Oblix NetPoint Product Description)

Issues:

Ernst & Young security professionals have 
discovered a security vulnerability in the latest version 
of Oblix NetPoint (v5.2).  The vulnerability involves 
account lockout processing.  The problem is that if a 
user attempts to login repeatedly with an invalid 
password, the user's account is locked temporarily 
for a configurable lockout period after a configurable 
number of invalid attempts.  However, after the 
lockout period expires, the system cannot lock that 
account again no matter how many invalid attempts 
are made to login.  The account can only be relocked 
after a successful login occurs.  The effect is that 
after the first lockout occurs, the account is 
vulnerable to automated or manual password 
cracking.

This bug may or may not be present in versions of 
NetPoint prior to v5.2.  Oblix has created a patch for 
this vulnerability under v5.2.

Recommendation:

Either test your system yourself, or contact Oblix to 
determine if your version of NetPoint is vulnerable.  If 
your installation is vulnerable, contact Oblix for a 
patch as soon as possible.  In any case, you should 
install the patch from Oblix as soon as it is available.

Exploits:

No specific exploits exist for this vulnerability, 
although any automated web-based password 
guesser could be used to break into a vulnerable 
system.

Reported By:

Bill Canning (william.canning () ey com)
Previous By Date Next
Previous By Thread Next

Current thread: