300 – Authentication mechanism absence or evasion - Azure

Description

The system has flaws over authentication mechanisms or had been configured with one that can be bypassed.

Impact

- Allow organizations to be vulnerable to stealthy brute-force attacks. - Allow fraudulent attempts on access users accounts.

Recommendation

- Force users to register multiple authentication methods. - Enable Azure Fraud alert to empower users to proactively report attempts of someone trying to use their account. - Set account lockout thresholds notifications.

Threat

Anonymous attacker with credentials access from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 227 - Display access notification
• 228 - Authenticate using standard protocols
• 229 - Request access credentials
• 231 - Implement a biometric verification component
• 235 - Define credential interface
• 264 - Request authentication
• 323 - Exclude unverifiable files

Fixes

• Azure

Last updated

2024/02/16