Nagios Fusion OTP Verification Rate Limiting Vulnerability Allowing Authentication Bypass

A vulnerability exists in the OTP verification component of Nagios Fusion versions 2024R1.2 and 2024R2, due to insufficient rate limiting. This flaw allows attackers to perform brute-force attacks on the Two-Factor Authentication (2FA) mechanism, bypassing authentication by repeatedly guessing One-Time Passwords (OTPs). The issue arises from the lack of proper defenses against brute-force attacks, rendering the 2FA implementation ineffective.

Impact

Exploitation of this vulnerability allows attackers to bypass 2FA and gain unauthorized access to accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, log in with a valid username and password. After the system prompts for an OTP, an attacker can send automated requests to the OTP verification endpoint. The absence of rate limiting and account lockout after failed attempts enables unlimited guessing of OTPs, allowing the attacker to predict the correct one and bypass 2FA.

Remediation

Users are advised to update to Nagios Fusion version 2024R2.1, where this vulnerability has been patched.