Advisory ID: SYSS-2020-016 Product: ANTON Web Application Manufacturer: solocode GmbH Affected Version(s): 1.3.5 Tested Version(s): 1.3.5 Vulnerability Type: Improper Restriction of Excessive Authentication Attempts (CWE-307) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2020-04-21 Solution Date: 2020-05-04 Public Disclosure: 2020-06-02 CVE Reference: Not yet assigned Author of Advisory: Joachim Klein, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ANTON is a universal learning platform for school and pupils. The manufacturer describes the product as follows (see [1]): "ANTON ist eine universelle Lern‐Plattform (Web & Mobile) für Schule und Schüler/innen, die sowohl zum eigenständigen Selbstlernen als auch zum interaktiven Lernen im Klassenraum‐Kontext eingesetzt werden kann." ANTON is vulnerable to improper restriction of excessive authentication attempts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web application does not have any protective mechanisms to combat brute-force attacks, which in turn makes it possible to guess the password of users. 2500 failed login attempts were possible without any protective measure to prevent this kind of attack. The brute-force attack can be used against the login or e-mail verification code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Perform login or e-mail verification attempts using a tool for sending automated HTTPS requests with a list of common passwords or verification codes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue was rectified by the vendor. All users automatically use the fixed version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-04-14: Vulnerability discovered 2020-04-21: Vulnerability reported to manufacturer 2020-05-04: Patch released by manufacturer 2020-06-02: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ANTON https://anton.app/de/impressum/ [2] SySS Security Advisory SYSS-2020-016 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-016.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Joachim Klein of SySS GmbH. E-Mail: joachim.klein@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Joachim_Klein.asc Key ID: 0x535D9C315D2E0BBF Key Fingerprint: 3384 5485 D2E3 B20A F309 E66D 535D 9C31 5D2E 0BBF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en