HylaFAX: hfaxd unauthorized login vulnerability

2005-01-11T00:00:00
ID GLSA-200501-21
Type gentoo
Reporter Gentoo Foundation
Modified 2005-01-11T00:00:00

Description

Background

HylaFAX is a software package for sending and receiving facsimile messages.

Description

The code used by hfaxd to match a given username and hostname with an entry in the hosts.hfaxd file is insufficiently protected against malicious entries.

Impact

If the HylaFAX installation uses a weak hosts.hfaxd file, a remote attacker could authenticate using a malicious username or hostname and bypass the intended access restrictions.

Workaround

As a workaround, administrators may consider adding passwords to all entries in the hosts.hfaxd file.

Resolution

All HylaFAX users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2"

Note: Due to heightened security, weak entries in the hosts.hfaxd file may no longer work. Please see the HylaFAX documentation for details of accepted syntax in the hosts.hfaxd file.