[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [GoSecure Advisory] Neoteris IVE Vulnerability
From:       Jian Hui Wang <jhwang () gosecure ! ca>
Date:       2004-10-06 21:25:32
Message-ID: 20041006212532.2550.qmail () www ! securityfocus ! com
[Download RAW message or body]



GoSecure Advisory #GS041006

 

Neoteris IVE changepassword.cgi Authentication Bypass

 

Date Published: 2004-10-06

Date Discovered: 2004-07-23

 

CVE ID: CAN-2004-0939

 

Class: Design Error

 

Risk: Medium

 

Vendor: Juniper Networks

www.juniper.net 

 

Advisory URL:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt 

 

Affected System:

 

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant Virtual \
Extranet (IVE) OS, Version 4.x  

 

Description:

 

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN solution \
for internal network remote access via a standard web browser. It is widely used as \
an extranet portal for corporate networks.

 

While doing an ethical hacking assessment of a Juniper customer, GoSecure discovered \
a vulnerability regarding Neoteris IVE password management.

 

When a valid user tries to authenticate via the IVE and the password is expired, the \
user will be asked to change their password and be directly forwarded to the \
"changepassword.cgi" without asking for any form of authentication. 

 

The username, authentication server and type will be appended to the \
“changepassword.cgi” URL.  Since the "changepassword.cgi" allows the user to try the \
old password as many times as they want, the unit effectively allows a brute force \
password attack. 

 

If an attacker were to obtain a username through various public information gathering \
techniques, they could attempt to find an account with a password that has expired \
and brute force that account to eventually gain unauthorized access.

 

This vulnerability only affects IVE products that are configured with LDAP or an NT \
domain authentication server. Other type of authentication servers are  not  \
affected.

 

Solution:

 

The vendor has released a patch and an advisory to address this issue.

The advisory is available the following location:

 

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view \


 

Credits:

 

GoSecure would like to thank Juniper's quick response on providing a solution for its \
customers.  This vulnerability was found by Jian Hui Wang, part of GoSecure's \
vulnerability research team.

 

Copyright (c) 2002-2004 GoSecure Inc

 

Permission is hereby granted for the redistribution of this alert electronically. It \
is not to be edited in any way without express consent of Gosecure. If you wish to \
reprint the whole or any part of this alert in any other medium excluding electronic \
medium, please email info@gosecure.ca for permission.

 

Disclaimer

 

The information within this advisory may change without notice. There are no \
warranties, implied or express, with regard to this information.  In no event shall \
the author be liable for any direct or indirect damages whatever arising out or in \
connection with the use or spread of this information. Any use of this information is \
at the user's own risk.

 

http://www.gosecure.ca

 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic