Login Sign Up

CVE-2023-2675

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to perform unlimited authentication attempts against Twake instances, enabling brute-force attacks to guess user credentials. It affects all Twake deployments running versions prior to 2023.Q1.1223. Organizations using vulnerable Twake versions are at risk of account compromise.

💻 Affected Systems

Products:
  • Twake
Versions: All versions prior to 2023.Q1.1223
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Twake deployments regardless of configuration.

📦 What is this software?

Twake by Linagora

View all CVEs affecting Twake →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all user accounts through brute-force attacks, leading to data exfiltration, privilege escalation, and system compromise.

🟠

Likely Case

Successful brute-force attacks against weak or reused passwords, resulting in unauthorized access to individual user accounts.

🟢

If Mitigated

Failed brute-force attempts logged and blocked, with no successful account compromises.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple brute-force tools can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.Q1.1223

Vendor Advisory: https://github.com/linagora/twake/commit/0770da3b184b5d5e71fee8251a5847a04c7cb9bc

Restart Required: Yes

Instructions:

1. Update Twake to version 2023.Q1.1223 or later. 2. Restart the Twake service. 3. Verify the fix is applied.

🔧 Temporary Workarounds

Rate Limiting via Reverse Proxy

linux

Implement rate limiting at the reverse proxy level to restrict authentication attempts.

# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
limit_req zone=auth burst=10 nodelay;

Web Application Firewall Rules

all

Configure WAF rules to detect and block excessive authentication attempts.

🧯 If You Can't Patch

  • Implement network-level rate limiting for authentication endpoints.
  • Enforce strong password policies and multi-factor authentication.

🔍 How to Verify

Check if Vulnerable:

Check Twake version in admin panel or configuration files. If version is earlier than 2023.Q1.1223, it's vulnerable.

Check Version:

Check Twake admin interface or configuration files for version information.

Verify Fix Applied:

Verify version is 2023.Q1.1223 or later and test that authentication attempts are rate-limited.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from single IP address
  • Unusual authentication patterns

Network Indicators:

  • High volume of POST requests to /auth/login endpoint
  • Traffic patterns indicating brute-force tools

SIEM Query:

source="twake" (event="login_failed") | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2023-2675
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-307
Published: November 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2675, you might also want to check these:

CVE-2023-1665 9.8

This vulnerability allows attackers to perform unlimited authentication attempts against Twake insta...

Same vulnerability type (CWE-307)
CVE-2020-28212 9.8

This vulnerability allows attackers to perform brute force attacks against the PLC Simulator in EcoS...

Same vulnerability type (CWE-307)
CVE-2024-9342 9.8

CVE-2024-9342 allows attackers to perform unlimited brute-force login attempts against Eclipse Glass...

Same vulnerability type (CWE-307)