lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <B9F4D6F9EB979443BE11F3D023C8A5C310E0AB@MORPHEUS.gosecure.ca>
From: jhwang at gosecure.ca (Jian Hui Wang)
Subject: [GoSecure Advisory] Neoteris IVE Vulnerability

 

GoSecure Advisory #GS041006

 

Neoteris IVE changepassword.cgi Authentication Bypass

 

Date Published: 2004-10-06

Date Discovered: 2004-07-23

 

CVE ID: CAN-2004-0939

 

Class: Design Error

 

Risk: Medium

 

Vendor: Juniper Networks

www.juniper.net 

 

Advisory URL:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt 

 

Affected System:

 

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant
Virtual Extranet (IVE) OS, Version 4.x  

 

Description:

 

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL
VPN solution for internal network remote access via a standard web
browser. It is widely used as an extranet portal for corporate networks.

 

While doing an ethical hacking assessment of a Juniper customer,
GoSecure discovered a vulnerability regarding Neoteris IVE password
management.

 

When a valid user tries to authenticate via the IVE and the password is
expired, the user will be asked to change their password and be directly
forwarded to the "changepassword.cgi" without asking for any form of
authentication. 

 

The username, authentication server and type will be appended to the
"changepassword.cgi" URL.  Since the "changepassword.cgi" allows the
user to try the old password as many times as they want, the unit
effectively allows a brute force password attack. 

 

If an attacker were to obtain a username through various public
information gathering techniques, they could attempt to find an account
with a password that has expired and brute force that account to
eventually gain unauthorized access.

 

This vulnerability only affects IVE products that are configured with
LDAP or an NT domain authentication server. Other type of authentication
servers are not affected.

 

Solution:

 

The vendor has released a patch and an advisory to address this issue.

The advisory is available the following location:

 

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumb
er=PSN-2004-08-25&viewMode=view 

 

Credits:

 

GoSecure would like to thank Juniper's quick response on providing a
solution for its customers.  This vulnerability was found by Jian Hui
Wang, part of GoSecure's vulnerability research team.

 

Copyright (c) 2002-2004 GoSecure Inc

 

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of Gosecure. If you wish to reprint the whole or any part of
this alert in any other medium excluding electronic medium, please email
info@...ecure.ca for permission.

 

Disclaimer

 

The information within this advisory may change without notice. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatever arising out or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.

 

http://www.gosecure.ca <http://www.gosecure.ca/> 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041006/7cab7a15/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ