AnsweredAssumed Answered

RSA Security Console - Log On Vulnerability

Question asked by David Thomson on Jul 2, 2018
Latest reply on Jul 2, 2018 by Erica Chalfin

Hi,

 

The Security Console login form responds differently for existing and non-existing usernames  For example typing my username into the "User ID" field will then generate a "Authentication Method" drop-down that contains the options "Password" and "Passcode", which are the two types of authentications method I have setup.  However, typing something made up into the "User ID" field will then generate a "Authentication Method" drop-down that contains the options "Password", "Passcode" and "On-Demand Authentication".  I (and the majority of users) don't have the "On-Demand Authentication" authentication method (but we do use it for some).

 

By knowing this information it could potentially allow username enumeration, which would be helpful during a brute-force attack against the application, basically allowing someone to know if it's a real account or not.  This type of threat is listed at the following site:

 

CWE - CWE-203: Information Exposure Through Discrepancy (3.1) 

 

Is there any options that can be set to make the Security Console respond in the same way for existing and non-existing usernames?

 

Thanks,

David

Outcomes