OpenBao User Lockout Bypass Vulnerability in Userpass and LDAP Authentication

A vulnerability exists in OpenBao versions 0.1.0 prior to 2.3.1, allowing attackers to bypass the automatic user lockout mechanisms in the Userpass and LDAP authentication systems. This issue arises from inconsistent handling of user entity aliases between pre-flight and full login requests, enabling exploitation by manipulating username casing. The vulnerability is addressed in OpenBao version 2.3.2.

Impact

Exploitation of this vulnerability allows for the bypass of user lockout mechanisms, potentially leading to repeated login attempts and the associated risks of brute-force attacks.

Reproduction

To reproduce this vulnerability, log in to an OpenBao instance using the Userpass or LDAP authentication methods. Vary the casing of the username to exploit the alias normalization issue, bypassing the lockout mechanism. This can be automated with a script or tool that sends login requests with different username casings.

Remediation

Users can upgrade to OpenBao version 2.3.2, which addresses this vulnerability. Alternatively, rate-limiting quotas can be applied to the authentication endpoints.