RhinoSoft Serv-U remote administration client transmits password in plaintext

2001-11-19T00:00:00
ID VU:279763
Type cert
Reporter CERT
Modified 2002-11-15T22:16:00

Description

Overview

A vulnerability exists in the remote administration client for RhinoSoft Serv-U. During the authentication process, the client ignores the S/KEY one-time password (OTP) challenge sent by the server and sends the password entered by the user in plaintext.

Description

RhinoSoft Serv-U is a shareware Windows FTP server that supports S/KEY one-time password (OTP) authentication using MD4 or MD5 hash algorithms. Cat Soft LLC is also involved in the development of Serv-U and is an affiliate of RhinoSoft. The Serv-U distribution includes an administration client that can be used to manage Serv-U servers remotely. Serv-U user accounts can be configured to use plaintext or S/KEY OTP authentication, and accounts can be granted several levels of administrative privilege on the server. When a user with administrative privileges attempts to log on to a Serv-U server using the remote administration client, and that user's account is configured on the server to use S/KEY OTP authentication, the server correctly sends an S/KEY OTP challenge, but the administration client ignores the challenge and sends the password entered by the user in plaintext. The server refuses the plaintext password and authentication fails, and the plaintext password is exposed on the network.

See RFC 1760 and RFC 2289 for more information on S/KEY and one-time password (OTP) authentication.


Impact

A properly located intruder using a sniffer can obtain administrative users' passwords. In addition, an administrative user account configured to use S/KEY OTP cannot log into a Serv-U server using a vulnerable remote administration client.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


IIIb. Workarounds

It may be possible to use other forms of encryption, such as a VPN, SSH, or IPsec, to secure a remote administration connection to a Serv-U server.


Vendor Information

279763

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

RhinoSoft __ Affected

Notified: November 06, 2001 Updated: November 19, 2001

Status

Affected

Vendor Statement

Currently we only recommend the remote administration feature in Serv-U 3.0 for secure networked environments. Future releases of Serv-U will support an encryption method that will allow this functionality to be extended to include connections across the internet.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://www.rhinosoft.com/>
  • <http://www.serv-u.com/>
  • <http://www.cat-soft.com/>
  • <http://www.ietf.org/rfc/rfc1760.txt>
  • <http://www.ietf.org/rfc/rfc2289.txt>
  • <http://www.iss.net/security_center/static/7925.php>
  • <http://securitytracker.com/alerts/2001/Dec/1002882.html>

Acknowledgements

The CERT Coordination Center thanks Fred Maxwell for reporting this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs: | None
---|---
Severity Metric: | 4.74
Date Public: | 2001-11-19
Date First Published: | 2001-11-19
Date Last Updated: | 2002-11-15 22:16 UTC
Document Revision: | 25