CVE-2024-55374
📋 TL;DR
REDCap 14.3.13 has a username enumeration vulnerability where attackers can distinguish between valid and invalid usernames based on response time differences during login attempts. This affects all organizations using REDCap 14.3.13 for research data collection. The vulnerability allows attackers to build lists of valid user accounts for potential credential stuffing or targeted attacks.
💻 Affected Systems
- REDCap
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid usernames, then conduct credential stuffing or targeted phishing campaigns leading to account compromise and unauthorized access to sensitive research data.
Likely Case
Attackers enumerate some usernames and use them for targeted attacks, potentially compromising individual accounts with weak passwords.
If Mitigated
Attackers can enumerate usernames but cannot progress further due to strong authentication controls like MFA and account lockout policies.
🎯 Exploit Status
Exploit requires timing analysis tools but is straightforward to implement; GitHub repository contains proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.3.14 or later
Vendor Advisory: http://redcap.com
Restart Required: No
Instructions:
1. Backup your REDCap installation and database. 2. Download REDCap 14.3.14 or later from the vendor. 3. Follow REDCap upgrade instructions to apply the patch. 4. Verify the fix by testing login timing differences.
🔧 Temporary Workarounds
Implement Rate Limiting
linuxAdd rate limiting to login endpoints to slow down enumeration attempts
# Configure web server rate limiting (nginx example)
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
location /redcap/authentication.php {
limit_req zone=login burst=5 nodelay;
}
Add Random Delay
allModify authentication code to add random delays to all login responses
# PHP modification example
usleep(rand(100000, 500000)); // Add 100-500ms random delay
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block rapid login attempts
- Enable multi-factor authentication (MFA) for all user accounts to mitigate impact of credential attacks
🔍 How to Verify
Check if Vulnerable:
Test login attempts with valid and invalid usernames while measuring response times; consistent timing differences indicate vulnerability.Check Version:
Check REDCap version in Control Center → Configuration Check or via database: SELECT value FROM redcap_config WHERE field_name = 'redcap_version';Verify Fix Applied:
After patching, test login attempts with valid and invalid usernames; response times should be identical regardless of username validity.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from single IP with different usernames
- Unusual pattern of login attempts with timing consistency
Network Indicators:
- Rapid sequential POST requests to authentication endpoint
- Traffic patterns showing systematic username testing
SIEM Query:
source="redcap_logs" action="LOGIN_FAILURE" | stats count by src_ip, username | where count > 10