Name: Oblix NetPoint 5.2 Account Lockout Bug Vendor: Oblix Homepage: http://www.oblix.com/products/netpoint/inde x.html Versions: Confirmed on v5.2, probable on earlier versions Severity: Medium to High Risk Description: "Oblix NetPoint creates a unified e-business infrastructure by providing an integrated access control and identity management solution that can be extended to all e-business initiatives. It gets its power and flexibility from a three-tier Web services architecture." (Oblix NetPoint Product Description) Issues: Ernst & Young security professionals have discovered a security vulnerability in the latest version of Oblix NetPoint (v5.2). The vulnerability involves account lockout processing. The problem is that if a user attempts to login repeatedly with an invalid password, the user's account is locked temporarily for a configurable lockout period after a configurable number of invalid attempts. However, after the lockout period expires, the system cannot lock that account again no matter how many invalid attempts are made to login. The account can only be relocked after a successful login occurs. The effect is that after the first lockout occurs, the account is vulnerable to automated or manual password cracking. This bug may or may not be present in versions of NetPoint prior to v5.2. Oblix has created a patch for this vulnerability under v5.2. Recommendation: Either test your system yourself, or contact Oblix to determine if your version of NetPoint is vulnerable. If your installation is vulnerable, contact Oblix for a patch as soon as possible. In any case, you should install the patch from Oblix as soon as it is available. Exploits: No specific exploits exist for this vulnerability, although any automated web-based password guesser could be used to break into a vulnerable system. Reported By: Bill Canning (william.canning@ey.com)
