Abstract Advisory Information
DualShield 5.9.8.0821 allows username enumeration on its login form. A valid username will ask for
the password when an invalid one will produce a “unknown username” error message.
Authors: Excellium Services
Version affected
Name: DualShield
Version: 5.9.8.0821
Common Vulnerability Scoring System
5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Patches
A fix is available in DualShield 6.0. The administrator must check the new checkbox
“Prevent login name guessing” in the authentication panel.
References
https://support.deepnetsecurity.com/
https://nvd.nist.gov/vuln/detail/CVE-2020-28918
Vulnerability Disclosure Timeline
- 2020/11/10: Vulnerability found in DualShield
- 2020/11/11: Vulnerability reported to CERT-XLM
- 2020/11/11: Vulnerability reported to Deepnet Security
- 2020/11/16: Vulnerability fixed in DualShield version 6.0
- 2020/11/17: CVE ID requested to MITRE
- 2020/11/18: CVE ID Assigned by MITRE
- 2021/02/09: Expected public vulnerability disclosure