<<< Date Index >>> <<< Thread Index >>>

[Gosecure Adivsory] Neoteris IVE Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Gosecure Adivsory] Neoteris IVE Vulnerability
From: Jian Hui Wang <jhwang@xxxxxxxxxxx>
Date: 6 Oct 2004 17:35:12 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Gosecure Advisory

http://www.gosecure.ca

Neoteris IVE changepassword.cgi Authentication Bypass

Date Published: 2004-09-20

Date Discovered: 2004-07-23

Advisory ID: GOSECURE-2004-10

Class: Design Error

Risk: Medium

Vendor: Juniper Networks
www.juniper.net

Advisory URL:
http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt

Affected System:

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x
Netories Instant Virtual Extranet (IVE) OS, Version 4.x

Description:

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN
solution for internal network remote access via standard web browser. It is
widely used as an extranet portal for corporate network.

There is a vulnerability in Neoteris IVE password management.

When a valid user tries to authenticate via Neoteris and the password is
expired, the user will be directly forwarded to "changepassword.cgi" without
asking any form of authentication. The username, authentication server and type
will be appended to ?changepassword.cgi? URL. Since the "changepassword.cgi"
allows the user to try the old password as many times as they want, effectively
allowing brute force password attack. By using the trivial information
gathering skills to get the valid accounts and launching brute force attack, a
remote attacker may take over the password expired accounts and gain
unauthorized access to the internal network resource.

This vulnerability only affects the IVE products which are configured with an
LDAP or NT domain authentication server. Other type of authentication servers
are not affected.

Solution:

Vendor has released a patch and an advisory to address to this vulnerability.
The advisory is available the following location:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view

Credits:

The vulnerability was found by Jian Hui Wang from Team Gosecure. Great thank to
Robert Masse for his support to this issue.

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
Gosecure. If you wish to reprint the whole or any part of this alert
in any other medium excluding electronic medium, please email info@xxxxxxxxxxx
for permission.

Disclaimer

The information within this advisory may change without notice. There are no
warranties, implied or express, with regard to this information. In no event
shall the author be liable for any direct or indirect damages
whatever arising out or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Prev by Date: Re: Multiple vulnerabilities in BlackBoard
Next by Date: New Microsoft Security Response Center PGP Key [pgp]
Previous by thread: Patch available for high risk flaws in the AtHoc Toolbar
Next by thread: New Microsoft Security Response Center PGP Key [pgp]
Index(es):
- Date
- Thread