Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[GoSecure Advisory] Neoteris IVE Vulnerability

From: Jian Hui Wang <jhwang () gosecure ca>
Date: 6 Oct 2004 21:25:32 -0000


GoSecure Advisory #GS041006

 

Neoteris IVE changepassword.cgi Authentication Bypass

 

Date Published: 2004-10-06

Date Discovered: 2004-07-23

 

CVE ID: CAN-2004-0939

 

Class: Design Error

 

Risk: Medium

 

Vendor: Juniper Networks

www.juniper.net 

 

Advisory URL:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt 

 

Affected System:

 

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant Virtual Extranet (IVE) OS, Version 4.x  

 

Description:

 

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN solution for internal network remote 
access via a standard web browser. It is widely used as an extranet portal for corporate networks.

 

While doing an ethical hacking assessment of a Juniper customer, GoSecure discovered a vulnerability regarding Neoteris 
IVE password management.

 

When a valid user tries to authenticate via the IVE and the password is expired, the user will be asked to change their 
password and be directly forwarded to the "changepassword.cgi" without asking for any form of authentication. 

 

The username, authentication server and type will be appended to the “changepassword.cgi” URL.  Since the 
"changepassword.cgi" allows the user to try the old password as many times as they want, the unit effectively allows a 
brute force password attack. 

 

If an attacker were to obtain a username through various public information gathering techniques, they could attempt to 
find an account with a password that has expired and brute force that account to eventually gain unauthorized access.

 

This vulnerability only affects IVE products that are configured with LDAP or an NT domain authentication server. Other 
type of authentication servers are  not  affected.

 

Solution:

 

The vendor has released a patch and an advisory to address this issue.

The advisory is available the following location:

 

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view 

 

Credits:

 

GoSecure would like to thank Juniper's quick response on providing a solution for its customers.  This vulnerability 
was found by Jian Hui Wang, part of GoSecure's vulnerability research team.

 

Copyright (c) 2002-2004 GoSecure Inc

 

Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way 
without express consent of Gosecure. If you wish to reprint the whole or any part of this alert in any other medium 
excluding electronic medium, please email info () gosecure ca for permission.

 

Disclaimer

 

The information within this advisory may change without notice. There are no warranties, implied or express, with 
regard to this information.  In no event shall the author be liable for any direct or indirect damages whatever arising 
out or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

 

http://www.gosecure.ca
Previous By Date Next
Previous By Thread Next

Current thread: