CVE-2016-9124

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

Revive Adserver en versiones anteriores a 3.2.3. sufre de restricción incorrecta de intentos de autenticación excesiva. La página de inicio de sesión de Revive Adserver es vulnerable a los ataques de detección de contraseña. Una característica de bloqueo de cuenta ha sido considerada, pero se rechazó para evitar la introducción de interrupciones del servicio a usuarios regulares durante dichos ataques. Un retraso aleatorio se ha introducido como una contramedida en caso de fallos de contraseña, junto con un sistema para desalentar el forzamiento bruto paralelo. Estos sistemas permitirán efectivamente que los usuarios válidos inicien sesión en el adserver, incluso mientras un ataque está en progreso.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-10-31 CVE Reserved
2017-03-28 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication
CWE-307: Improper Restriction of Excessive Authentication Attempts

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/revive-adserver/revive-adserver/commit/847941390f5b3310d51b07c92ec91cc1f4cc82c9	2019-10-09
https://www.revive-adserver.com/security/revive-sa-2016-001	2019-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Revive-adserver Search vendor "Revive-adserver"		Revive Adserver Search vendor "Revive-adserver" for product "Revive Adserver"				<= 3.2.2 Search vendor "Revive-adserver" for product "Revive Adserver" and version " <= 3.2.2"		-		Affected