Software Engineering Institute

WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC implements a system-wide lock-out policy that is disables an account upon three consecutive failed login attempts. In numerous places throughout the system, an attacker can easily retrieve the information necessary (i.e. usernames) to attempt a login for a particular account. Please note that an account can represent an individual user on one WebEOC site or a system account for another WebEOC site.

Users are authenticated into the WebEOC system by entering a username and password on the WebEOC login web page. The WebEOC login webpage displays all registered usernames within a drop-down list. If a remote attacker gains access to the WebEOC login page, they can intentionally enter a wrong password three consecutive times for a particular user, locking that users account.

WebEOC supports Dual Commit, which is a process that connects multiple WebEOC installations so they can exchange information. Individual WebEOC sites are authenticated into a Dual Commit session via a system account known as the Dual Commit account. Dual Commit accounts are governed by the same lock out policy as individual user accounts. Consequently, they are vulnerable to the same types of attacks. For example, an attacker can cause a denial-of-service condition across multiple EOC sites by attacking the Dual Commit functionality. If a remote attacker repeatedly sends a specially crafted URI containing incorrect login information to a Dual Commit account, that attacker may be able to exploit the lock-out policy to terminate the active Dual Commit connection and lock the Dual Commit account.

In both cases (user accounts and Dual Commit accounts), users will experience a denial of service until the attacked account is manually unlocked.

An unauthenticated, remote attacker may be able to exploit the lock-out policy to lock valid accounts. As a result individual users or WebEOC sites may experience a complete denial-of-service. Recoving from this attack requires a WebEOC administrator to manually unlock the attacked account.

Upgrade

Version 6.0.2 corrects this vulnerability. According to ESi:

This vulnerability has been addressed in version 6.0.2 by providing the option to not present a list of valid user names on the login page. In addition, lockout configuration for the number of failed login attempts and length of time a lockout lasts are included in the administrative functions. The site can now unlock the user’s account automatically after a defined period of time as specified in the General Settings tab.

To obtain WebEOC upgrades, contact ESi Technical Support

Restrict Access

When possible, restrict access to the WebEOC login pages to only known and trusted users.