[VulnWatch] Business Objects WebIntelligence 6.5x Account Lockout and System DoS

From: Michael M Kemp (mkemp4@private)
Date: Wed Dec 14 2005 - 04:50:45 PST


Computer Sciences Corporation Security Advisory
December 14, 2005

Summary: 
CSC have discovered an issue that could impact upon the availability and 
security of servers operating Business Objects WebIntelligence software. 
If a remote malicious attacker is able to access authentication mechanisms 
(ordinarily through form input) they can lock out and effectively disable 
user accounts, including General Supervisor (admin) users leading to 
system unavailability. 

Business Impact: 
Successful exploitation of this issue could lead to system unavailability 
and significant loss of productivity. This attack requires limited 
knowledge of WebIntelligence default account details, and provided no 
additional changes have been made in configuration, high level (and vital) 
accounts can be disabled. By using automated brute force tools, a 
potential attacker can easily disable accounts associated with legitimate 
system users. 

Affected Product(s): 
Business Objects WebIntelligence 6.5x
(It should be noted that additional software may be affected and the 
vendor should be contacted for confirmation).

Remediation: 
The vendor has proposed a number of remediation strategies, namely:

1 - Disable "the number of failed logins allowed" feature. Using this 
solution, a remote attacker is unable to disable legitimate accounts. It 
should be noted however, that with unlimited attempts at establishing 
password details associated with legitimate accounts, the attacker can 
potentially discover legitimate credentials.

2 - Use external authentication systems (Windows Authentication mode, or 
SSO with Site Minder, LDAP, Active Directory). 

Business Objects have also published a Knowledge Base article referencing 
this issue with the ID of 19915. This Knowledge Base article is available 
via the vendor support portal at: 
http://www.techsupport.businessobjects.com/

Credit:
This vulnerability was discovered by Michael Kemp of CSC (Computer 
Sciences Corporation).

-------------

This document is not to be edited or altered in any way without the 
express written consent of CSC. You may provide links to this document 
from web sites or mailing lists, and you may make copies of this document 
in accordance with the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information contained in this document may change without 
notice. There are NO warranties, implied or otherwise, with regard to this 
information or its use. In no event shall the author/distributor (CSC) be 
held liable for any damages arising out of or in connection with the use 
or spread of this information. 

-------------

About CSC
Founded in 1959, Computer Sciences Corporation is a leading global 
information technology (IT) services company. CSC's mission is to provide 
customers in industry and government with solutions crafted to meet their 
specific challenges and enable them to profit from the advanced use of 
technology.

With approximately 78,000 employees, CSC provides innovative solutions for 
customers around the world by applying leading technologies and CSC's own 
advanced capabilities. These include systems design and integration; IT 
and business process outsourcing; applications software development; Web 
and application hosting; and management consulting. Headquartered in El 
Segundo, Calif., CSC reported revenue of $14.5 billion for the 12 months 
ended Sept. 30, 2005. For more information, visit the company's Web site 
at www.csc.com

Copyright (c) 2005, Computer Sciences Corporation


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. NOTE: Regardless of content, this e-mail shall not operate to 
bind CSC to any order or other contract unless pursuant to explicit 
written agreement or government initiative expressly permitting the use of 
e-mail for such purpose.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.3 : Wed Dec 14 2005 - 09:46:08 PST