<<< Date Index >>> <<< Thread Index >>>

[GoSecure Advisory] Neoteris IVE Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [GoSecure Advisory] Neoteris IVE Vulnerability
From: Jian Hui Wang <jhwang@xxxxxxxxxxx>
Date: 6 Oct 2004 21:25:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

GoSecure Advisory #GS041006

Neoteris IVE changepassword.cgi Authentication Bypass

Date Published: 2004-10-06

Date Discovered: 2004-07-23

CVE ID: CAN-2004-0939

Class: Design Error

Risk: Medium

Vendor: Juniper Networks

www.juniper.net

Advisory URL:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt

Affected System:

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant
Virtual Extranet (IVE) OS, Version 4.x

Description:

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN
solution for internal network remote access via a standard web browser. It is
widely used as an extranet portal for corporate networks.

While doing an ethical hacking assessment of a Juniper customer, GoSecure
discovered a vulnerability regarding Neoteris IVE password management.

When a valid user tries to authenticate via the IVE and the password is
expired, the user will be asked to change their password and be directly
forwarded to the "changepassword.cgi" without asking for any form of
authentication.

The username, authentication server and type will be appended to the
?changepassword.cgi? URL. Since the "changepassword.cgi" allows the user to
try the old password as many times as they want, the unit effectively allows a
brute force password attack.

If an attacker were to obtain a username through various public information
gathering techniques, they could attempt to find an account with a password
that has expired and brute force that account to eventually gain unauthorized
access.

This vulnerability only affects IVE products that are configured with LDAP or
an NT domain authentication server. Other type of authentication servers are
not affected.

Solution:

The vendor has released a patch and an advisory to address this issue.

The advisory is available the following location:

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view

Credits:

GoSecure would like to thank Juniper's quick response on providing a solution
for its customers. This vulnerability was found by Jian Hui Wang, part of
GoSecure's vulnerability research team.

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
Gosecure. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please email info@xxxxxxxxxxx for
permission.

Disclaimer

The information within this advisory may change without notice. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages whatever arising
out or in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

http://www.gosecure.ca

Prev by Date: Latest Apple Sec update
Next by Date: CodeCon 2005 Call for Papers
Previous by thread: [Maxpatrol Security Advisory] Multiple vulnerabilities in DCP-Portal
Next by thread: CodeCon 2005 Call for Papers
Index(es):
- Date
- Thread