Read Time:50 Second

Description

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287
CWE-287
CWE-799

 

Consequences

Access Control: Bypass Protection Mechanism

An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

CVE References

  • CVE-1999-1152
    • Product does not disconnect or timeout after multiple failed logins.
  • CVE-2001-1291
    • Product does not disconnect or timeout after multiple failed logins.
  • CVE-2001-0395
    • Product does not disconnect or timeout after multiple failed logins.
  • CVE-2001-1339
    • Product does not disconnect or timeout after multiple failed logins.
  • CVE-2002-0628
    • Product does not disconnect or timeout after multiple failed logins.
  • CVE-1999-1324
    • User accounts not disabled when they exceed a threshold; possibly a resultant problem.