CVE-2024-24767 in CasaOS-UserServiceinfo

Summary

by MITRE • 03/06/2024

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/26/2025

The vulnerability identified as CVE-2024-24767 affects CasaOS-UserService, a component responsible for user management within the CasaOS operating system. This flaw exists in versions 0.4.4.3 through 0.4.6, creating a significant security risk that allows unauthorized access to server resources. The vulnerability stems from inadequate protection mechanisms against password brute force attacks, which represents a critical weakness in the authentication system's design and implementation.

The technical flaw manifests as the absence of login attempt controls within the web application's authentication mechanism. This weakness allows attackers to repeatedly attempt password guesses without any rate limiting or account lockout measures. The vulnerability is categorized under CWE-307, which addresses inadequate password protection mechanisms, and aligns with ATT&CK technique T1110.003 for Brute Force: Password Guessing. The lack of authentication controls enables attackers to systematically test multiple password combinations until they discover valid credentials, potentially gaining super user-level privileges.

The operational impact of this vulnerability is severe, as it provides attackers with full administrative access to the affected server. Once an attacker successfully compromises credentials through brute force, they can execute arbitrary commands, modify system configurations, access sensitive data, and potentially establish persistent backdoors. This level of access can result in complete system compromise, data exfiltration, and unauthorized network access. The vulnerability affects the confidentiality, integrity, and availability of the CasaOS environment, making it a critical threat to system security.

Mitigation strategies should prioritize upgrading to CasaOS version 0.4.7 or later, which includes the necessary patch to address the brute force attack vulnerability. Organizations should also implement additional security controls such as account lockout policies, rate limiting for login attempts, and monitoring for suspicious authentication patterns. Network-level protections including firewall rules and intrusion detection systems can help detect and prevent brute force attack patterns. The implementation of multi-factor authentication should be considered as an additional layer of security to protect against credential compromise. Security teams should conduct regular vulnerability assessments and maintain updated threat intelligence to identify and respond to similar authentication weaknesses in other systems.

Responsible

GitHub, Inc.

Reservation

01/29/2024

Disclosure

03/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00977

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!