CVE-2020-9389 - Username enumeration possible via a timing attack

CVE: CVE-2020-9389

Description

Username enumeration is the ability to find out valid usernames with an automated process, for example based on the server's response to a username. Before SquaredUp DS version 4.6, it was possible to determine valid usernames based on the different amount of time it took the server to respond to valid and invalid usernames.

Fix

The server's response time for valid and invalid usernames is constant.

What should you do?

If you are using a SquaredUp DS version earlier than 4.6, update to version 4.6 or later.

Affected and resolved software versions

Product	Affected versions	Resolved versions
SquaredUp DS for SCOM	Versions earlier than 4.6	4.6 and later versions

Acknowledgement

SquaredUp would like to thank Giuseppe-Diego Gianni from NATO for reporting this vulnerability.

Did you notice a vulnerability or need further help?

Please contact SquaredUp Support if you have any questions about this vulnerability or need further help.

If you believe you've found a different security vulnerability in one of our products please report it by emailing our support team so we can work on fixing it: security@squaredup.com

Revision history of this article

3.2.2021	Initial release
10.6.2021	Updated support contact information

DS SCOM LIVE KB.10.log-1572047242.zip
10 KB Download