SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Pulse Connect Secure (formerly Juniper Pulse Secure) Vendors:   Juniper
Juniper NetScreen IVE Lets Remote Users Conduct Brute-Force Password Guessing Attacks
SecurityTracker Alert ID:  1011552
SecurityTracker URL:  http://securitytracker.com/id/1011552
CVE Reference:   CVE-2004-0939   (Links to External Site)
Date:  Oct 6 2004
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.x, 4.x
Description:   GoSecure reported a vulnerability in the Juniper NetScreen (Neoteris) IVE in 'changepassword.cgi'. A remote user can conduct unlimited brute-force password guessing attempts.

When a user's password expires and the user subsequently attempts to authenticate to the system, the user is presented with the 'changepassword.cgi' script without having to authenticate. This script allows the user to attempt to login with the expired password without limiting the number of authentication attempts. As a result, a remote user with knowledge of a valid user account that has an expired password can conduct a brute force password guessting attack.

Only systems that are configured with an LDAP or NT domain authentication server are affected.

The original advisory is available at:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt

Impact:   A remote user can conduct brute-force password guessing attacks.
Solution:   The vendor has issued a fix.

More information is available to registered customers at:

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view

Vendor URL:  www.juniper.net/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  [GoSecure Advisory] Neoteris IVE Vulnerability


GoSecure Advisory #GS041006

 

Neoteris IVE changepassword.cgi Authentication Bypass

 

Date Published: 2004-10-06

Date Discovered: 2004-07-23

 

CVE ID: CAN-2004-0939

 

Class: Design Error

 

Risk: Medium

 

Vendor: Juniper Networks

www.juniper.net

 

Advisory URL:

http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt

 

Affected System:

 

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x Netories Instant 
Virtual Extranet (IVE) OS, Version 4.x 

 

Description:

 

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL 
VPN solution for internal network remote access via a standard web 
browser. It is widely used as an extranet portal for corporate networks.

 

While doing an ethical hacking assessment of a Juniper customer, 
GoSecure discovered a vulnerability regarding Neoteris IVE password 
management.

 

When a valid user tries to authenticate via the IVE and the password is 
expired, the user will be asked to change their password and be directly 
forwarded to the "changepassword.cgi" without asking for any form of 
authentication.

 

The username, authentication server and type will be appended to the 
user to try the old password as many times as they want, the unit 
effectively allows a brute force password attack.

 

If an attacker were to obtain a username through various public 
information gathering techniques, they could attempt to find an account 
with a password that has expired and brute force that account to 
eventually gain unauthorized access.

 

This vulnerability only affects IVE products that are configured with 
LDAP or an NT domain authentication server. Other type of authentication 
servers are not affected.

 

Solution:

 

The vendor has released a patch and an advisory to address this issue.

The advisory is available the following location:

 

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view 
<http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view> 


 

Credits:

 

GoSecure would like to thank Juniper's quick response on providing a 
solution for its customers.  This vulnerability was found by Jian Hui 
Wang, part of GoSecure's vulnerability research team.

 

Copyright (c) 2002-2004 GoSecure Inc

 

Permission is hereby granted for the redistribution of this alert 
electronically. It is not to be edited in any way without express 
consent of Gosecure. If you wish to reprint the whole or any part of 
this alert in any other medium excluding electronic medium, please email 
info@gosecure.ca for permission.

 

Disclaimer

 

The information within this advisory may change without notice. There 
are no warranties, implied or express, with regard to this information.  
In no event shall the author be liable for any direct or indirect 
damages whatever arising out or in connection with the use or spread of 
this information. Any use of this information is at the user's own risk.

 

http://www.gosecure.ca <http://www.gosecure.ca/>
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC