<<< Date Index >>>     <<< Thread Index >>>

Business Objects WebIntelligence 6.5x Account Lockout and System DoS



Computer Sciences Corporation Security Advisory
December 14, 2005

Summary: 
CSC have discovered an issue that could impact upon the availability and 
security of servers operating Business Objects WebIntelligence software. If a 
remote malicious attacker is able to access authentication mechanisms 
(ordinarily through form input) they can lock out and effectively disable user 
accounts, including General Supervisor (admin) users leading to system 
unavailability.  

Business Impact: 
Successful exploitation of this issue could lead to system unavailability and 
significant loss of productivity. This attack requires limited knowledge of 
WebIntelligence default account details, and provided no additional changes 
have been made in configuration, high level (and vital) accounts can be 
disabled. By using automated brute force tools, a potential attacker can easily 
disable accounts associated with legitimate system users. 

Affected Product(s): 
Business Objects WebIntelligence 6.5x
(It should be noted that additional software may be affected and the vendor 
should be contacted for confirmation).

Remediation: 
The vendor has proposed a number of remediation strategies, namely:

1 - Disable "the number of failed logins allowed" feature. Using this solution, 
a remote attacker is unable to disable legitimate accounts. It should be noted 
however, that with unlimited attempts at establishing password details 
associated with legitimate accounts, the attacker can potentially discover 
legitimate credentials.

2 - Use external authentication systems (Windows Authentication mode, or SSO 
with Site Minder, LDAP, Active Directory). 

Business Objects have also published a Knowledge Base article referencing this 
issue with the ID of 19915. This Knowledge Base article is available via the 
vendor support portal at: http://www.techsupport.businessobjects.com/

Credit:
This vulnerability was discovered by Michael Kemp of CSC (Computer Sciences 
Corporation).

-------------

This document is not to be edited or altered in any way without the express 
written consent of CSC. You may provide links to this document from web sites 
or mailing lists, and you may make copies of this document in accordance with 
the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information contained in this document may change without 
notice. There are NO warranties, implied or otherwise, with regard to this 
information or its use. In no event shall the author/distributor (CSC) be held 
liable for any damages arising out of or in connection with the use or spread 
of this information. 

-------------

About CSC
Founded in 1959, Computer Sciences Corporation is a leading global information 
technology (IT) services company. CSC's mission is to provide customers in 
industry and government with solutions crafted to meet their specific 
challenges and enable them to profit from the advanced use of technology.

With approximately 78,000 employees, CSC provides innovative solutions for 
customers around the world by applying leading technologies and CSC's own 
advanced capabilities. These include systems design and integration; IT and 
business process outsourcing; applications software development; Web and 
application hosting; and management consulting. Headquartered in El Segundo, 
Calif., CSC reported revenue of $14.5 billion for the 12 months ended Sept. 30, 
2005. For more information, visit the company's Web site at www.csc.com

Copyright (c) 2005, Computer Sciences Corporation