pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
BID:57984
CVE-2013-294 | CVE-2013-342 |Info
pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
| Bugtraq ID: | 57984 |
| Class: | Design Error |
| CVE: |
CVE-2013-0294 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 15 2013 12:00AM |
| Updated: | May 07 2015 05:02PM |
| Credit: | Nathaniel McCallum |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
pyrad is prone to an information-disclosure vulnerability and a packet-spoofing vulnerability.
An attacker can exploit these issue to obtain sensitive information through man-in-the-middle attacks and spoof packet IDs that may lead to further attacks.
pyrad is prone to an information-disclosure vulnerability and a packet-spoofing vulnerability.
An attacker can exploit these issue to obtain sensitive information through man-in-the-middle attacks and spoof packet IDs that may lead to further attacks.
Exploit / POC
pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
An attacker can use readily available network utilities to exploit this issue.
An attacker can use readily available network utilities to exploit this issue.
Solution / Fix
pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
pyrad Password Hash Information Disclosure Vulnerability and Packet Spoofing Vulnerability
References:
References:
- python-pyrad: potentially predictable password hashing (Red Hat Bugzilla)
- CVE request: python-pyrad insecurities (oss-sec)
- python-pyrad: CreateID() creates serialized packet IDs for RADIUS (Red Hat Bugzilla)
- Use a better random generator. (wichert)