[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [GoSecure Advisory] Neoteris IVE Vulnerability
From: Jian Hui Wang <jhwang () gosecure ! ca>
Date: 2004-10-06 21:25:32
Message-ID: 20041006212532.2550.qmail () www ! securityfocus ! com
[Download RAW message or body]
GoSecure Advisory #GS041006
Neoteris IVE changepassword.cgi Authentication Bypass
Date Published: 2004-10-06
Date Discovered: 2004-07-23
CVE ID: CAN-2004-0939
Class: Design Error
Risk: Medium
Vendor: Juniper Networks
www.juniper.net
Advisory URL:
http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt
Affected System:
Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant Virtual \
Extranet (IVE) OS, Version 4.x
Description:
Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN solution \
for internal network remote access via a standard web browser. It is widely used as \
an extranet portal for corporate networks.
While doing an ethical hacking assessment of a Juniper customer, GoSecure discovered \
a vulnerability regarding Neoteris IVE password management.
When a valid user tries to authenticate via the IVE and the password is expired, the \
user will be asked to change their password and be directly forwarded to the \
"changepassword.cgi" without asking for any form of authentication.
The username, authentication server and type will be appended to the \
“changepassword.cgi” URL. Since the "changepassword.cgi" allows the user to try the \
old password as many times as they want, the unit effectively allows a brute force \
password attack.
If an attacker were to obtain a username through various public information gathering \
techniques, they could attempt to find an account with a password that has expired \
and brute force that account to eventually gain unauthorized access.
This vulnerability only affects IVE products that are configured with LDAP or an NT \
domain authentication server. Other type of authentication servers are not \
affected.
Solution:
The vendor has released a patch and an advisory to address this issue.
The advisory is available the following location:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view \
Credits:
GoSecure would like to thank Juniper's quick response on providing a solution for its \
customers. This vulnerability was found by Jian Hui Wang, part of GoSecure's \
vulnerability research team.
Copyright (c) 2002-2004 GoSecure Inc
Permission is hereby granted for the redistribution of this alert electronically. It \
is not to be edited in any way without express consent of Gosecure. If you wish to \
reprint the whole or any part of this alert in any other medium excluding electronic \
medium, please email info@gosecure.ca for permission.
Disclaimer
The information within this advisory may change without notice. There are no \
warranties, implied or express, with regard to this information. In no event shall \
the author be liable for any direct or indirect damages whatever arising out or in \
connection with the use or spread of this information. Any use of this information is \
at the user's own risk.
http://www.gosecure.ca
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic