CVE-2023-25156
📋 TL;DR
Kiwi TCMS versions before 12.0 lack rate limiting on the login page, allowing attackers to perform brute-force attacks against user credentials. This affects all Kiwi TCMS deployments using vulnerable versions. Attackers can attempt unlimited login attempts to guess passwords.
💻 Affected Systems
- Kiwi TCMS
📦 What is this software?
Kiwi Tcms by Kiwitcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers successfully brute-force administrative credentials, gaining full control over the test management system, potentially accessing sensitive test data and modifying system configurations.
Likely Case
Attackers compromise user accounts with weak passwords, gaining unauthorized access to test cases, results, and project information.
If Mitigated
With rate limiting in place, brute-force attempts are blocked after a few failed attempts, preventing credential compromise.
🎯 Exploit Status
No public exploit code needed - attackers can use standard brute-force tools against the login endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.0 and later
Vendor Advisory: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
Restart Required: Yes
Instructions:
1. Backup your Kiwi TCMS database and configuration. 2. Upgrade to Kiwi TCMS version 12.0 or later using your package manager or installation method. 3. Restart the Kiwi TCMS service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Rate-limiting proxy
linuxDeploy a reverse proxy with rate limiting in front of Kiwi TCMS to limit login attempts
# Example nginx configuration with rate limiting
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /accounts/login/ {
limit_req zone=login burst=10 nodelay;
proxy_pass http://kiwitcms_backend;
}
🧯 If You Can't Patch
- Implement strong password policies and enforce multi-factor authentication
- Deploy network-based intrusion detection to monitor for brute-force patterns
🔍 How to Verify
Check if Vulnerable:
Check Kiwi TCMS version - if below 12.0, it's vulnerable. Attempt rapid login requests to see if they're all accepted.Check Version:
Check the Kiwi TCMS web interface footer or run: docker exec kiwitcms python -c "import tcms; print(tcms.__version__)"Verify Fix Applied:
After upgrading to 12.0+, attempt multiple rapid login requests - they should be rate-limited after a few attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP address
- Rapid succession of POST requests to /accounts/login/
Network Indicators:
- High volume of HTTP POST requests to login endpoint
- Pattern of failed authentication attempts
SIEM Query:
source="kiwitcms" action="login" result="failure" | stats count by src_ip | where count > 10🔗 References
- https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
- https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
- https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f
- https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
- https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
- https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
