eSeSIX Thintune Client Authentication Weakness

2004-07-24T10:52:51
ID OSVDB:8250
Type osvdb
Reporter Dirk Loss(dirk.loss@it-consult.net)
Modified 2004-07-24T10:52:51

Description

Vulnerability Description

The firmware in eSeSIX Thintune Client contains a flaw that may allow a remote attacker to bypass authentication settings. The problem is that a user doesn't have to press <Enter> when prompted for the control center and lshell passwords. When the passwords are too short, it is possible for a remote attacker to guess the passwords by pressing the first correct letter which will allow successful login, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Choose long passwords.

Short Description

The firmware in eSeSIX Thintune Client contains a flaw that may allow a remote attacker to bypass authentication settings. The problem is that a user doesn't have to press <Enter> when prompted for the control center and lshell passwords. When the passwords are too short, it is possible for a remote attacker to guess the passwords by pressing the first correct letter which will allow successful login, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.thintune.com/en/index.htm Security Tracker: 1010770 Secunia Advisory ID:12154 Related OSVDB ID: 8249 Related OSVDB ID: 8246 Related OSVDB ID: 8248 Related OSVDB ID: 8247 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0273.html CVE-2004-2052 Bugtraq ID: 10794