Responsible Vulnerability Disclosure CVE-2021-40126 – Descriptive error message
INTRODUCTION
Cisco Umbrella is a taut cloud driven Internet Gateway that fortifies users from all kinds of cyber proliferation, no matter the user’s environs. It is one of the most comfortable way to safeguard the end users anywhere, in minutes.
eSecForte Technologies Security Researcher – Abhinav Khanna found an overly descriptive error message that lead to enumeration attack and has been assigned CVE-2021-40126 for it by the MITRE.
Description
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed.
Possible Impact
Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.
Steps
The Cisco Umbrella Dashboard displays an overly descriptive error message that lets an attacker know if the specific email address entered exists in the database or not.
Recommendation
- Ensure that a general error message is displayed instead of a detailed error message which does not reveal any sensitive information.
- Limit the number of attempts a user can make in order to change the email address in a day.
[Disclosure Process]
- Reported the Vulnerability to the Vendor Security or PSIRT Team.
- Acknowledged confirmed from the Vendor that vulnerability exist.
- CVE has been filed in NVD.
- Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
- Vulnerability disclosed to the public.
[Reference]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40126
[Has vendor confirmed or acknowledged the vulnerability?]
Yes
[Discoverer]
Abhinav Khanna from eSec Forte Technologies Pvt. Ltd.