Ergon Informatik Airlock IAM Username Enumeration Vulnerability via Timing Discrepancy in Password Reset Feature

A vulnerability allowing username enumeration through timing differences in the password reset process has been identified in Ergon Informatik AG's Airlock IAM versions 7.7.9, 8.0.8, 8.1.7, 8.2.4, and 8.3.1. This vulnerability allows unauthenticated attackers to determine the validity of usernames by observing variations in response times during the password reset procedure.

Impact

Exploitation of this vulnerability enables unauthenticated attackers to enumerate valid usernames, which could be used in subsequent attacks, such as password spraying.

Reproduction

To reproduce this vulnerability, initiate a password reset request by sending a POST request to the username identification endpoint. Include the username in the request body. Observe the response time: invalid usernames typically result in a response time of 30 to 40 milliseconds, while valid usernames take approximately 500 to 800 milliseconds. This timing difference can be exploited to create a list of valid usernames.

Remediation

Users are advised to upgrade Airlock IAM to version 7.7.11, 8.0.9, 8.1.8, 8.2.5, or 8.3.2. If an immediate upgrade is not possible, consider implementing additional anti-automation measures, such as CAPTCHAs, during the password reset process.