CVE-2024-2464: Application users enumeration in CDeX

Overview

On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”

Vulnerability description

Access to the platform is possible through logging in with SSO (Single Sign-On) or by using login data, including the username and password. If a user forgets their password, they can use the password recovery option. An attacker, by utilizing the password recovery mechanism and analyzing differences in the responses received, can effectively identify users of the application.

Exploitation scenario

The example of exploiting the vulnerability is presented in the following video:

Timeline

How to prevent similar vulnerabilities in your application

It is considerably easier for an attacker to break your authentication mechanisms if you reveal that a user exists on the system. There are even certain situations where, due to the nature of the website, the knowledge that a particular person has an account is sensitive information in itself.

Regardless of whether an attempted username is valid, it is important to use identical, generic error messages, and make sure they really are identical. You should always return the same HTTP status code with each login request and, finally, make the response times in different scenarios as indistinguishable as possible.

References

1. https://cert.pl/en/posts/2024/03/CVE-2024-2463/
2. https://cdex.cloud/
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2464
4. https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses