CVE-2024-23557 - HCL Connections Security Update for User Enumeration Vulnerability

Author: Christoph Stoettner
Read in about 2 min · 404 words

Cute ladybug on a leaf

Photo by Justin Lauria | Unsplash

Some time back, I stumbled upon a flaw in HCL Connections 7 and 8 that allowed for user enumeration. This flaw could be exploited by anonymous users.

User enumeration occurs when an HTML form provides different responses depending on whether a user is registered or not. These responses may vary in content, such as “We sent a mail to your registered address” versus “You don’t have an account,” or in HTTP response codes and response times. This vulnerability extends beyond HTML forms and affects APIs as well.

Why is user enumeration problematic?

User enumeration is identified in the OWASP Top 10 as A07:2021 – Identification and Authentication Failures . When attackers can identify available user accounts on a platform, two potential attack scenarios emerge:

  1. LDAP servers may lock accounts after a certain number of incorrect password attempts (e.g., Domino with internet password lockout or Active Directory account lockout policy). Consequently, attackers could deliberately block user accounts, leading to a denial of service-like situation.

    In my observation, most Connections environments directly use Active Directory or other LDAP servers. Thus, if an attacker manages to lock an account, it affects more than just Connections; other services may also be disrupted.

  2. Without a lockout policy, attackers can execute brute force attacks on user accounts, attempting to discover valid passwords.

    Credential stuffing, a common tactic, involves utilizing compromised passwords from one service to attempt unauthorized access to other services where the user may have reused the same password. Attackers automate this process, leveraging automated scripts to rapidly test stolen credentials across various platforms, exploiting the common practice of password reuse among users. This method can result in unauthorized access to accounts and pose significant security risks across multiple services.

Preventing credential stuffing:

Avoid reusing passwords for multiple services, as stolen login data can easily be used for other services.

How to address this issue:

The details of this problem can be found in the Security Bulletin: HCL Connections Security Update for User Enumeration Vulnerability (CVE-2024-23557) , which provides download links and public information regarding the issue.

I opt not to delve into the specifics of the attack or application details.

HCL Connections 8:

The problem has been resolved in Connections 8.0 CR5 and subsequent versions.

HCL Connections 7:

For Connections 7, you need to deploy the latest CFix.70.2403 along with the additional KB0111309 ifix.

I recommend installing these fixes, when your Connections environment is accessible from the internet.

Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Card image cap

Last week, I had three systems with issues displaying the Top Updates in the Orient Me. So I tried to find out which applications and containers are involved in generating the content for this view.

Created: Read in about 4 min
Card image cap

With HCL Connections 6.5 and later, we got the add-on HCL Connections Engagement Center (aka CEC, HCEC, ICEC or XCC) included in a normal HCL Connections deployment.

Created: Read in about 6 min
Card image cap

I had one Connections’ environment that I wanted to switch from OpenLDAP to Active Directory LDAP. The old OpenLDAP environment used LDAPS to connect, and so I assumed that the change was done quickly.

The first step was to make a copy of the tdisol folder I used for OpenLDAP and start changing the configuration files for the new LDAP server.

Created: Read in about 4 min