SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Tarantella Vendors:   Tarantella, Inc.
Tarantella Enterprise Discloses to Remote Users Whether Usernames are Valid
SecurityTracker Alert ID:  1013240
SecurityTracker URL:  http://securitytracker.com/id/1013240
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 18 2005
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Enterprise 3.30, 3.40; Secure Global Desktop Enterprise Edition 3.42, 4.00
Description:   A vulnerability was reported in Tarantella Enterprise. A remote user may be able to determine valid usernames and the authentication mechanism used.

On systems where multiple users share a single username and implement RSA SecurID, a remote user can determine whether a specific username exists on the system and if it uses SecurID. When the remote user triggers a failed login attempt, the system will display the following type of error message:

SecurID :ambiguous login -failed.

Tarantella Enterprise and Tarantella Secure Global Desktop Enterprise Edition are affected.

The vendor credits Eliot Mansfield from Eurodata Systems with reporting this vulnerability.

Impact:   A remote user can determine whether usernames exist on the target system, as well as the type of authentication used.
Solution:   No solution was available at the time of this entry.

No fixed version was available at the time of this entry. The vendor plans to issue a fix as part of versions after 4.00.

As a workaround, the vendor indicates that you can "ensure that the configuration of users within the Tarantella server is such that no RSA username is mapped to more than one ENS user object."

Vendor URL:  www.tarantella.com/security/bulletin-11.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Conectiva), Linux (Red Hat Enterprise), Linux (Red Hat Linux), Linux (SuSE), Linux (Turbo Linux), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC