Some time back, I stumbled upon a flaw in HCL Connections 7 and 8 that allowed for user enumeration. This flaw could be exploited by anonymous users.
User enumeration occurs when an HTML form provides different responses depending on whether a user is registered or not. These responses may vary in content, such as “We sent a mail to your registered address” versus “You don’t have an account,” or in HTTP response codes and response times. This vulnerability extends beyond HTML forms and affects APIs as well.
Why is user enumeration problematic?
User enumeration is identified in the OWASP Top 10 as A07:2021 – Identification and Authentication Failures . When attackers can identify available user accounts on a platform, two potential attack scenarios emerge:
LDAP servers may lock accounts after a certain number of incorrect password attempts (e.g., Domino with internet password lockout or Active Directory account lockout policy). Consequently, attackers could deliberately block user accounts, leading to a denial of service-like situation.
In my observation, most Connections environments directly use Active Directory or other LDAP servers. Thus, if an attacker manages to lock an account, it affects more than just Connections; other services may also be disrupted.
Without a lockout policy, attackers can execute brute force attacks on user accounts, attempting to discover valid passwords.
Credential stuffing, a common tactic, involves utilizing compromised passwords from one service to attempt unauthorized access to other services where the user may have reused the same password. Attackers automate this process, leveraging automated scripts to rapidly test stolen credentials across various platforms, exploiting the common practice of password reuse among users. This method can result in unauthorized access to accounts and pose significant security risks across multiple services.
Preventing credential stuffing:
Avoid reusing passwords for multiple services, as stolen login data can easily be used for other services.
How to address this issue:
The details of this problem can be found in the Security Bulletin: HCL Connections Security Update for User Enumeration Vulnerability (CVE-2024-23557) , which provides download links and public information regarding the issue.
I opt not to delve into the specifics of the attack or application details.
HCL Connections 8:
The problem has been resolved in Connections 8.0 CR5 and subsequent versions.
HCL Connections 7:
For Connections 7, you need to deploy the latest CFix.70.2403 along with the additional KB0111309 ifix.
I recommend installing these fixes, when your Connections environment is accessible from the internet.